Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
8kjlHXmbAY.exe

Overview

General Information

Sample name:8kjlHXmbAY.exe
renamed because original name is a hash value
Original sample name:199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
Analysis ID:1588569
MD5:57f7d9095490a4aadda9e261fec73a68
SHA1:45e51f97abc52dd29e65d7ec78e18ee8d1721867
SHA256:199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d
Tags:exeuser-adrian__luca
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 8kjlHXmbAY.exe (PID: 6556 cmdline: "C:\Users\user\Desktop\8kjlHXmbAY.exe" MD5: 57F7D9095490A4AADDA9E261FEC73A68)
    • bankrupture.exe (PID: 5048 cmdline: "C:\Users\user\Desktop\8kjlHXmbAY.exe" MD5: 57F7D9095490A4AADDA9E261FEC73A68)
      • bankrupture.exe (PID: 6392 cmdline: "C:\Users\user\AppData\Local\ectosphere\bankrupture.exe" MD5: 57F7D9095490A4AADDA9E261FEC73A68)
  • wscript.exe (PID: 3560 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • bankrupture.exe (PID: 712 cmdline: "C:\Users\user\AppData\Local\ectosphere\bankrupture.exe" MD5: 57F7D9095490A4AADDA9E261FEC73A68)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.210.150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.4673994833.000000000125C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000003.00000002.4674197020.00000000012EB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 43 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              8.2.bankrupture.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                8.2.bankrupture.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  8.2.bankrupture.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    8.2.bankrupture.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6b6f8:$a1: Remcos restarted by watchdog!
                    • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                    8.2.bankrupture.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x65a04:$str_b2: Executing file:
                    • 0x6683c:$str_b3: GetDirectListeningPort
                    • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x66380:$str_b7: \update.vbs
                    • 0x65a2c:$str_b9: Downloaded file:
                    • 0x65a18:$str_b10: Downloading file:
                    • 0x65abc:$str_b12: Failed to upload file:
                    • 0x66804:$str_b13: StartForward
                    • 0x66824:$str_b14: StopForward
                    • 0x662d8:$str_b15: fso.DeleteFile "
                    • 0x6626c:$str_b16: On Error Resume Next
                    • 0x66308:$str_b17: fso.DeleteFolder "
                    • 0x65aac:$str_b18: Uploaded file:
                    • 0x65a6c:$str_b19: Unable to delete:
                    • 0x662a0:$str_b20: while fso.FileExists("
                    • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 55 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs" , ProcessId: 3560, ProcessName: wscript.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs" , ProcessId: 3560, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe, ProcessId: 5048, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe, ProcessId: 6392, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T02:31:05.448780+010020327761Malware Command and Control Activity Detected192.168.2.649782192.210.150.268787TCP
                    2025-01-11T02:31:07.911781+010020327761Malware Command and Control Activity Detected192.168.2.649801192.210.150.268787TCP
                    2025-01-11T02:31:10.333868+010020327761Malware Command and Control Activity Detected192.168.2.649820192.210.150.268787TCP
                    2025-01-11T02:31:12.760294+010020327761Malware Command and Control Activity Detected192.168.2.649838192.210.150.268787TCP
                    2025-01-11T02:31:15.242943+010020327761Malware Command and Control Activity Detected192.168.2.649856192.210.150.268787TCP
                    2025-01-11T02:31:17.646339+010020327761Malware Command and Control Activity Detected192.168.2.649872192.210.150.268787TCP
                    2025-01-11T02:31:20.099067+010020327761Malware Command and Control Activity Detected192.168.2.649885192.210.150.268787TCP
                    2025-01-11T02:31:22.520834+010020327761Malware Command and Control Activity Detected192.168.2.649903192.210.150.268787TCP
                    2025-01-11T02:31:24.959934+010020327761Malware Command and Control Activity Detected192.168.2.649921192.210.150.268787TCP
                    2025-01-11T02:31:27.381300+010020327761Malware Command and Control Activity Detected192.168.2.649936192.210.150.268787TCP
                    2025-01-11T02:31:29.817565+010020327761Malware Command and Control Activity Detected192.168.2.649953192.210.150.268787TCP
                    2025-01-11T02:31:32.224768+010020327761Malware Command and Control Activity Detected192.168.2.649969192.210.150.268787TCP
                    2025-01-11T02:31:34.646534+010020327761Malware Command and Control Activity Detected192.168.2.649985192.210.150.268787TCP
                    2025-01-11T02:31:37.100693+010020327761Malware Command and Control Activity Detected192.168.2.649995192.210.150.268787TCP
                    2025-01-11T02:31:39.569043+010020327761Malware Command and Control Activity Detected192.168.2.649996192.210.150.268787TCP
                    2025-01-11T02:31:42.005588+010020327761Malware Command and Control Activity Detected192.168.2.649997192.210.150.268787TCP
                    2025-01-11T02:31:44.427697+010020327761Malware Command and Control Activity Detected192.168.2.649998192.210.150.268787TCP
                    2025-01-11T02:31:46.834827+010020327761Malware Command and Control Activity Detected192.168.2.649999192.210.150.268787TCP
                    2025-01-11T02:31:49.255615+010020327761Malware Command and Control Activity Detected192.168.2.650001192.210.150.268787TCP
                    2025-01-11T02:31:51.677427+010020327761Malware Command and Control Activity Detected192.168.2.650002192.210.150.268787TCP
                    2025-01-11T02:31:54.114796+010020327761Malware Command and Control Activity Detected192.168.2.650003192.210.150.268787TCP
                    2025-01-11T02:31:56.536864+010020327761Malware Command and Control Activity Detected192.168.2.650004192.210.150.268787TCP
                    2025-01-11T02:31:58.942851+010020327761Malware Command and Control Activity Detected192.168.2.650005192.210.150.268787TCP
                    2025-01-11T02:32:01.350209+010020327761Malware Command and Control Activity Detected192.168.2.650006192.210.150.268787TCP
                    2025-01-11T02:32:03.849170+010020327761Malware Command and Control Activity Detected192.168.2.650007192.210.150.268787TCP
                    2025-01-11T02:32:06.286958+010020327761Malware Command and Control Activity Detected192.168.2.650009192.210.150.268787TCP
                    2025-01-11T02:32:08.693266+010020327761Malware Command and Control Activity Detected192.168.2.650010192.210.150.268787TCP
                    2025-01-11T02:32:11.130317+010020327761Malware Command and Control Activity Detected192.168.2.650011192.210.150.268787TCP
                    2025-01-11T02:32:13.567840+010020327761Malware Command and Control Activity Detected192.168.2.650013192.210.150.268787TCP
                    2025-01-11T02:32:15.974430+010020327761Malware Command and Control Activity Detected192.168.2.650014192.210.150.268787TCP
                    2025-01-11T02:32:18.411873+010020327761Malware Command and Control Activity Detected192.168.2.650015192.210.150.268787TCP
                    2025-01-11T02:32:20.853113+010020327761Malware Command and Control Activity Detected192.168.2.650016192.210.150.268787TCP
                    2025-01-11T02:32:23.288257+010020327761Malware Command and Control Activity Detected192.168.2.650017192.210.150.268787TCP
                    2025-01-11T02:32:25.711687+010020327761Malware Command and Control Activity Detected192.168.2.650018192.210.150.268787TCP
                    2025-01-11T02:32:28.115361+010020327761Malware Command and Control Activity Detected192.168.2.650019192.210.150.268787TCP
                    2025-01-11T02:32:30.427964+010020327761Malware Command and Control Activity Detected192.168.2.650020192.210.150.268787TCP
                    2025-01-11T02:32:32.708872+010020327761Malware Command and Control Activity Detected192.168.2.650022192.210.150.268787TCP
                    2025-01-11T02:32:34.989857+010020327761Malware Command and Control Activity Detected192.168.2.650023192.210.150.268787TCP
                    2025-01-11T02:32:37.226733+010020327761Malware Command and Control Activity Detected192.168.2.650024192.210.150.268787TCP
                    2025-01-11T02:32:39.445627+010020327761Malware Command and Control Activity Detected192.168.2.650025192.210.150.268787TCP
                    2025-01-11T02:32:41.630752+010020327761Malware Command and Control Activity Detected192.168.2.650026192.210.150.268787TCP
                    2025-01-11T02:32:43.788802+010020327761Malware Command and Control Activity Detected192.168.2.650027192.210.150.268787TCP
                    2025-01-11T02:32:45.927336+010020327761Malware Command and Control Activity Detected192.168.2.650028192.210.150.268787TCP
                    2025-01-11T02:32:48.037976+010020327761Malware Command and Control Activity Detected192.168.2.650029192.210.150.268787TCP
                    2025-01-11T02:32:50.114843+010020327761Malware Command and Control Activity Detected192.168.2.650030192.210.150.268787TCP
                    2025-01-11T02:32:52.166842+010020327761Malware Command and Control Activity Detected192.168.2.650031192.210.150.268787TCP
                    2025-01-11T02:32:54.239717+010020327761Malware Command and Control Activity Detected192.168.2.650032192.210.150.268787TCP
                    2025-01-11T02:32:56.271114+010020327761Malware Command and Control Activity Detected192.168.2.650033192.210.150.268787TCP
                    2025-01-11T02:32:58.367970+010020327761Malware Command and Control Activity Detected192.168.2.650034192.210.150.268787TCP
                    2025-01-11T02:33:00.381645+010020327761Malware Command and Control Activity Detected192.168.2.650035192.210.150.268787TCP
                    2025-01-11T02:33:02.373647+010020327761Malware Command and Control Activity Detected192.168.2.650036192.210.150.268787TCP
                    2025-01-11T02:33:04.333651+010020327761Malware Command and Control Activity Detected192.168.2.650037192.210.150.268787TCP
                    2025-01-11T02:33:06.271917+010020327761Malware Command and Control Activity Detected192.168.2.650038192.210.150.268787TCP
                    2025-01-11T02:33:08.193271+010020327761Malware Command and Control Activity Detected192.168.2.650040192.210.150.268787TCP
                    2025-01-11T02:33:10.099683+010020327761Malware Command and Control Activity Detected192.168.2.650041192.210.150.268787TCP
                    2025-01-11T02:33:11.993616+010020327761Malware Command and Control Activity Detected192.168.2.650042192.210.150.268787TCP
                    2025-01-11T02:33:13.871999+010020327761Malware Command and Control Activity Detected192.168.2.650043192.210.150.268787TCP
                    2025-01-11T02:33:15.724026+010020327761Malware Command and Control Activity Detected192.168.2.650044192.210.150.268787TCP
                    2025-01-11T02:33:17.569731+010020327761Malware Command and Control Activity Detected192.168.2.650045192.210.150.268787TCP
                    2025-01-11T02:33:19.398997+010020327761Malware Command and Control Activity Detected192.168.2.650046192.210.150.268787TCP
                    2025-01-11T02:33:21.208183+010020327761Malware Command and Control Activity Detected192.168.2.650047192.210.150.268787TCP
                    2025-01-11T02:33:22.989490+010020327761Malware Command and Control Activity Detected192.168.2.650048192.210.150.268787TCP
                    2025-01-11T02:33:24.755066+010020327761Malware Command and Control Activity Detected192.168.2.650049192.210.150.268787TCP
                    2025-01-11T02:33:26.536726+010020327761Malware Command and Control Activity Detected192.168.2.650050192.210.150.268787TCP
                    2025-01-11T02:33:28.354892+010020327761Malware Command and Control Activity Detected192.168.2.650051192.210.150.268787TCP
                    2025-01-11T02:33:30.057632+010020327761Malware Command and Control Activity Detected192.168.2.650052192.210.150.268787TCP
                    2025-01-11T02:33:31.802369+010020327761Malware Command and Control Activity Detected192.168.2.650053192.210.150.268787TCP
                    2025-01-11T02:33:33.536256+010020327761Malware Command and Control Activity Detected192.168.2.650054192.210.150.268787TCP
                    2025-01-11T02:33:35.286261+010020327761Malware Command and Control Activity Detected192.168.2.650055192.210.150.268787TCP
                    2025-01-11T02:33:36.989772+010020327761Malware Command and Control Activity Detected192.168.2.650056192.210.150.268787TCP
                    2025-01-11T02:33:38.692627+010020327761Malware Command and Control Activity Detected192.168.2.650057192.210.150.268787TCP
                    2025-01-11T02:33:40.368532+010020327761Malware Command and Control Activity Detected192.168.2.650058192.210.150.268787TCP
                    2025-01-11T02:33:42.052713+010020327761Malware Command and Control Activity Detected192.168.2.650059192.210.150.268787TCP
                    2025-01-11T02:33:43.755942+010020327761Malware Command and Control Activity Detected192.168.2.650060192.210.150.268787TCP
                    2025-01-11T02:33:45.427023+010020327761Malware Command and Control Activity Detected192.168.2.650061192.210.150.268787TCP
                    2025-01-11T02:33:47.115353+010020327761Malware Command and Control Activity Detected192.168.2.650062192.210.150.268787TCP
                    2025-01-11T02:33:48.755272+010020327761Malware Command and Control Activity Detected192.168.2.650063192.210.150.268787TCP
                    2025-01-11T02:33:50.411498+010020327761Malware Command and Control Activity Detected192.168.2.650064192.210.150.268787TCP
                    2025-01-11T02:33:52.068379+010020327761Malware Command and Control Activity Detected192.168.2.650065192.210.150.268787TCP
                    2025-01-11T02:33:53.723630+010020327761Malware Command and Control Activity Detected192.168.2.650066192.210.150.268787TCP
                    2025-01-11T02:33:55.349300+010020327761Malware Command and Control Activity Detected192.168.2.650067192.210.150.268787TCP
                    2025-01-11T02:33:56.974021+010020327761Malware Command and Control Activity Detected192.168.2.650068192.210.150.268787TCP
                    2025-01-11T02:33:58.661568+010020327761Malware Command and Control Activity Detected192.168.2.650069192.210.150.268787TCP
                    2025-01-11T02:34:00.302159+010020327761Malware Command and Control Activity Detected192.168.2.650070192.210.150.268787TCP
                    2025-01-11T02:34:01.913201+010020327761Malware Command and Control Activity Detected192.168.2.650071192.210.150.268787TCP
                    2025-01-11T02:34:03.536304+010020327761Malware Command and Control Activity Detected192.168.2.650072192.210.150.268787TCP
                    2025-01-11T02:34:05.114936+010020327761Malware Command and Control Activity Detected192.168.2.650073192.210.150.268787TCP
                    2025-01-11T02:34:06.771534+010020327761Malware Command and Control Activity Detected192.168.2.650074192.210.150.268787TCP
                    2025-01-11T02:34:08.333433+010020327761Malware Command and Control Activity Detected192.168.2.650075192.210.150.268787TCP
                    2025-01-11T02:34:09.895988+010020327761Malware Command and Control Activity Detected192.168.2.650076192.210.150.268787TCP
                    2025-01-11T02:34:11.442803+010020327761Malware Command and Control Activity Detected192.168.2.650077192.210.150.268787TCP
                    2025-01-11T02:34:13.005660+010020327761Malware Command and Control Activity Detected192.168.2.650078192.210.150.268787TCP
                    2025-01-11T02:34:14.583561+010020327761Malware Command and Control Activity Detected192.168.2.650079192.210.150.268787TCP
                    2025-01-11T02:34:16.149164+010020327761Malware Command and Control Activity Detected192.168.2.650080192.210.150.268787TCP
                    2025-01-11T02:34:17.724012+010020327761Malware Command and Control Activity Detected192.168.2.650081192.210.150.268787TCP
                    2025-01-11T02:34:19.270783+010020327761Malware Command and Control Activity Detected192.168.2.650082192.210.150.268787TCP
                    2025-01-11T02:34:20.817755+010020327761Malware Command and Control Activity Detected192.168.2.650083192.210.150.268787TCP
                    2025-01-11T02:34:22.349290+010020327761Malware Command and Control Activity Detected192.168.2.650084192.210.150.268787TCP
                    2025-01-11T02:34:23.902806+010020327761Malware Command and Control Activity Detected192.168.2.650085192.210.150.268787TCP
                    2025-01-11T02:34:25.442611+010020327761Malware Command and Control Activity Detected192.168.2.650086192.210.150.268787TCP
                    2025-01-11T02:34:26.989638+010020327761Malware Command and Control Activity Detected192.168.2.650087192.210.150.268787TCP
                    2025-01-11T02:34:28.521063+010020327761Malware Command and Control Activity Detected192.168.2.650088192.210.150.268787TCP
                    2025-01-11T02:34:30.040904+010020327761Malware Command and Control Activity Detected192.168.2.650089192.210.150.268787TCP
                    2025-01-11T02:34:31.553671+010020327761Malware Command and Control Activity Detected192.168.2.650090192.210.150.268787TCP
                    2025-01-11T02:34:33.230979+010020327761Malware Command and Control Activity Detected192.168.2.650091192.210.150.268787TCP
                    2025-01-11T02:34:34.723920+010020327761Malware Command and Control Activity Detected192.168.2.650092192.210.150.268787TCP
                    2025-01-11T02:34:36.224251+010020327761Malware Command and Control Activity Detected192.168.2.650093192.210.150.268787TCP
                    2025-01-11T02:34:37.723861+010020327761Malware Command and Control Activity Detected192.168.2.650096192.210.150.268787TCP
                    2025-01-11T02:34:39.225786+010020327761Malware Command and Control Activity Detected192.168.2.650097192.210.150.268787TCP
                    2025-01-11T02:34:40.770812+010020327761Malware Command and Control Activity Detected192.168.2.650098192.210.150.268787TCP
                    2025-01-11T02:34:42.318062+010020327761Malware Command and Control Activity Detected192.168.2.650099192.210.150.268787TCP
                    2025-01-11T02:34:43.864778+010020327761Malware Command and Control Activity Detected192.168.2.650100192.210.150.268787TCP
                    2025-01-11T02:34:45.351542+010020327761Malware Command and Control Activity Detected192.168.2.650101192.210.150.268787TCP
                    2025-01-11T02:34:46.849128+010020327761Malware Command and Control Activity Detected192.168.2.650102192.210.150.268787TCP
                    2025-01-11T02:34:48.334014+010020327761Malware Command and Control Activity Detected192.168.2.650103192.210.150.268787TCP
                    2025-01-11T02:34:49.805918+010020327761Malware Command and Control Activity Detected192.168.2.650104192.210.150.268787TCP
                    2025-01-11T02:34:51.305688+010020327761Malware Command and Control Activity Detected192.168.2.650105192.210.150.268787TCP
                    2025-01-11T02:34:52.817716+010020327761Malware Command and Control Activity Detected192.168.2.650106192.210.150.268787TCP
                    2025-01-11T02:34:54.304503+010020327761Malware Command and Control Activity Detected192.168.2.650107192.210.150.268787TCP
                    2025-01-11T02:34:55.786571+010020327761Malware Command and Control Activity Detected192.168.2.650108192.210.150.268787TCP
                    2025-01-11T02:34:57.270928+010020327761Malware Command and Control Activity Detected192.168.2.650109192.210.150.268787TCP
                    2025-01-11T02:34:58.770742+010020327761Malware Command and Control Activity Detected192.168.2.650110192.210.150.268787TCP
                    2025-01-11T02:35:00.257818+010020327761Malware Command and Control Activity Detected192.168.2.650111192.210.150.268787TCP
                    2025-01-11T02:35:02.739654+010020327761Malware Command and Control Activity Detected192.168.2.650112192.210.150.268787TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000003.00000002.4674388122.000000000145C000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeReversingLabs: Detection: 71%
                    Multi AV Scanner detection for submitted file
                    Source: 8kjlHXmbAY.exeReversingLabs: Detection: 71%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4673994833.000000000125C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674197020.00000000012EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674782285.0000000003FEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2406102574.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674388122.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674277679.000000000136C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 5048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 6392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 712, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: 8kjlHXmbAY.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,3_2_0043293A
                    Source: bankrupture.exe, 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_460de2ec-5

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 5048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 6392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 712, type: MEMORYSTR

                    Privilege Escalation

                    barindex
                    Contains functionality to bypass UAC (CMSTPLUA)
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00406764 _wcslen,CoGetObject,3_2_00406764
                    Source: 8kjlHXmbAY.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0033445A
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033C6D1 FindFirstFileW,FindClose,0_2_0033C6D1
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0033C75C
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0033EF95
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0033F0F2
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0033F3F3
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003337EF
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00333B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00333B12
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0033BCBC
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0083445A
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083C6D1 FindFirstFileW,FindClose,2_2_0083C6D1
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0083C75C
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0083EF95
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0083F0F2
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0083F3F3
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_008337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_008337EF
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00833B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00833B12
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0083BCBC
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040B335
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,3_2_0041B42F
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040B53A
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0044D5E9 FindFirstFileExA,3_2_0044D5E9
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,3_2_004089A9
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,3_2_00406AC2
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,3_2_00407A8C
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00418C69
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,3_2_00408DA7
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00406F06

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49782 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49801 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49838 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49820 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49856 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49885 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49903 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49936 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49872 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49921 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49953 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49969 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49985 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49999 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50003 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49996 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50019 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50007 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50004 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50005 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50010 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50009 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49998 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50022 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50028 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50001 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50037 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50029 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50015 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50044 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50013 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50027 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50034 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50025 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50024 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50033 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50035 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50057 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50011 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50053 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50043 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50052 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50058 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50060 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50042 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50032 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50038 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50020 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50045 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50036 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50072 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50002 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50030 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50075 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50082 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50040 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49997 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50006 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50074 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50055 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50088 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50026 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50046 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50063 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50047 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50065 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50100 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50083 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50069 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50099 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50103 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50066 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50031 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50048 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50090 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50104 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50106 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50049 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50101 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50061 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50092 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50077 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50068 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50109 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50080 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50091 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50071 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50070 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50098 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50054 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50086 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50105 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50023 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50111 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50096 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50089 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50093 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50108 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50016 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50102 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50076 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50062 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50110 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50079 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50087 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50050 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50081 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50017 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50112 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50085 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50056 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50059 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50073 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50067 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:49995 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50084 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50078 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50014 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50041 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50107 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50018 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50051 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50064 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.6:50097 -> 192.210.150.26:8787
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 192.210.150.26
                    Source: Joe Sandbox ViewIP Address: 192.210.150.26 192.210.150.26
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_003422EE
                    Source: bankrupture.exeString found in binary or memory: http://geoplugin.net/json.gp
                    Source: bankrupture.exe, 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, bankrupture.exe, 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, bankrupture.exe, 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, bankrupture.exe, 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, bankrupture.exe, 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000003_2_004099E4
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00344164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00344164
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00344164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00344164
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00844164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00844164
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,3_2_004159C6
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00343F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00343F66
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0033001C
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0035CABC
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0085CABC
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 5048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 6392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 712, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4673994833.000000000125C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674197020.00000000012EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674782285.0000000003FEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2406102574.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674388122.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674277679.000000000136C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 5048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 6392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 712, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    Spam, unwanted Advertisements and Ransom Demands

                    barindex
                    Contains functionalty to change the wallpaper
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0041BB77 SystemParametersInfoW,3_2_0041BB77

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: Process Memory Space: bankrupture.exe PID: 5048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: bankrupture.exe PID: 6392, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: bankrupture.exe PID: 712, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: This is a third-party compiled AutoIt script.0_2_002D3B3A
                    Source: 8kjlHXmbAY.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: 8kjlHXmbAY.exe, 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f94071ac-0
                    Source: 8kjlHXmbAY.exe, 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_54200b66-3
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: This is a third-party compiled AutoIt script.2_2_007D3B3A
                    Source: bankrupture.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: bankrupture.exe, 00000002.00000002.2276041187.0000000000884000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_5630d580-a
                    Source: bankrupture.exe, 00000002.00000002.2276041187.0000000000884000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_64884a86-e
                    Source: bankrupture.exe, 00000003.00000002.4673374422.0000000000884000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b4048487-3
                    Source: bankrupture.exe, 00000003.00000002.4673374422.0000000000884000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_f1cdeb43-c
                    Source: bankrupture.exe, 00000008.00000002.2404955093.0000000000884000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_42eb8930-2
                    Source: bankrupture.exe, 00000008.00000002.2404955093.0000000000884000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_d1a01940-8
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_002D3633
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_0035C1AC
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_0035C498
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035C57D SendMessageW,NtdllDialogWndProc_W,0_2_0035C57D
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_0035C5FE
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035C860 NtdllDialogWndProc_W,0_2_0035C860
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035C8BE NtdllDialogWndProc_W,0_2_0035C8BE
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035C88F NtdllDialogWndProc_W,0_2_0035C88F
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035C93E ClientToScreen,NtdllDialogWndProc_W,0_2_0035C93E
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035C909 NtdllDialogWndProc_W,0_2_0035C909
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035CA7C GetWindowLongW,NtdllDialogWndProc_W,0_2_0035CA7C
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0035CABC
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74A3C8D0,NtdllDialogWndProc_W,0_2_002D1287
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_002D1290
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035D3B8 NtdllDialogWndProc_W,0_2_0035D3B8
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_0035D43E
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D167D NtdllDialogWndProc_W,0_2_002D167D
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D16B5 NtdllDialogWndProc_W,0_2_002D16B5
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D16DE GetParent,NtdllDialogWndProc_W,0_2_002D16DE
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035D78C NtdllDialogWndProc_W,0_2_0035D78C
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D189B NtdllDialogWndProc_W,0_2_002D189B
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035BC5D NtdllDialogWndProc_W,CallWindowProcW,0_2_0035BC5D
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035BF30 NtdllDialogWndProc_W,0_2_0035BF30
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0035BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_0035BF8C
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007D3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_007D3633
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_0085C1AC
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_0085C498
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_0085C5FE
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085C57D SendMessageW,NtdllDialogWndProc_W,2_2_0085C57D
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085C88F NtdllDialogWndProc_W,2_2_0085C88F
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085C8BE NtdllDialogWndProc_W,2_2_0085C8BE
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085C860 NtdllDialogWndProc_W,2_2_0085C860
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085C909 NtdllDialogWndProc_W,2_2_0085C909
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085C93E ClientToScreen,NtdllDialogWndProc_W,2_2_0085C93E
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0085CABC
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085CA7C GetWindowLongW,NtdllDialogWndProc_W,2_2_0085CA7C
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007D1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_007D1290
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007D1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74A3C8D0,NtdllDialogWndProc_W,2_2_007D1287
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085D3B8 NtdllDialogWndProc_W,2_2_0085D3B8
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,2_2_0085D43E
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007D167D NtdllDialogWndProc_W,2_2_007D167D
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007D16DE GetParent,NtdllDialogWndProc_W,2_2_007D16DE
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007D16B5 NtdllDialogWndProc_W,2_2_007D16B5
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085D78C NtdllDialogWndProc_W,2_2_0085D78C
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007D189B NtdllDialogWndProc_W,2_2_007D189B
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085BC5D NtdllDialogWndProc_W,CallWindowProcW,2_2_0085BC5D
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_0085BF8C
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0085BF30 NtdllDialogWndProc_W,2_2_0085BF30
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,3_2_0041CA9E
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,3_2_0041ACC1
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,3_2_0041ACED
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0033A1EF
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00328310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74B55590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00328310
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003351BD
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_008351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_008351BD
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,3_2_004158B9
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002DE6A00_2_002DE6A0
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002FD9750_2_002FD975
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002DFCE00_2_002DFCE0
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002F21C50_2_002F21C5
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003062D20_2_003062D2
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003503DA0_2_003503DA
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0030242E0_2_0030242E
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002F25FA0_2_002F25FA
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0032E6160_2_0032E616
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002E66E10_2_002E66E1
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0030878F0_2_0030878F
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002E88080_2_002E8808
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003508570_2_00350857
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003068440_2_00306844
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003388890_2_00338889
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002FCB210_2_002FCB21
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00306DB60_2_00306DB6
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002E6F9E0_2_002E6F9E
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002E30300_2_002E3030
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002F31870_2_002F3187
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002FF1D90_2_002FF1D9
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002E52A50_2_002E52A5
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D12870_2_002D1287
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002F14840_2_002F1484
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002E55200_2_002E5520
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002F76960_2_002F7696
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002E57600_2_002E5760
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002F19780_2_002F1978
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00309AB50_2_00309AB5
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002FBDA60_2_002FBDA6
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002F1D900_2_002F1D90
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00357DDB0_2_00357DDB
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002DDF000_2_002DDF00
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002E3FE00_2_002E3FE0
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_014FAF480_2_014FAF48
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007DE6A02_2_007DE6A0
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007FD9752_2_007FD975
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007DFCE02_2_007DFCE0
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007F21C52_2_007F21C5
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_008062D22_2_008062D2
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_008503DA2_2_008503DA
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0080242E2_2_0080242E
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007F25FA2_2_007F25FA
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0082E6162_2_0082E616
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007E66E12_2_007E66E1
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0080878F2_2_0080878F
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_008388892_2_00838889
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007E88082_2_007E8808
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_008068442_2_00806844
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_008508572_2_00850857
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007FCB212_2_007FCB21
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00806DB62_2_00806DB6
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007E6F9E2_2_007E6F9E
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007E30302_2_007E3030
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007FF1D92_2_007FF1D9
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007F31872_2_007F3187
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007D12872_2_007D1287
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007F14842_2_007F1484
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007E55202_2_007E5520
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007F76962_2_007F7696
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007E57602_2_007E5760
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007F19782_2_007F1978
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00809AB52_2_00809AB5
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00857DDB2_2_00857DDB
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007FBDA62_2_007FBDA6
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007F1D902_2_007F1D90
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007DDF002_2_007DDF00
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007E3FE02_2_007E3FE0
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00FBB1702_2_00FBB170
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0041D0713_2_0041D071
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004520D23_2_004520D2
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0043D0983_2_0043D098
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004371503_2_00437150
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004361AA3_2_004361AA
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004262543_2_00426254
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004313773_2_00431377
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0041E5DF3_2_0041E5DF
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0044C7393_2_0044C739
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004267CB3_2_004267CB
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0043C9DD3_2_0043C9DD
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00432A493_2_00432A49
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0043CC0C3_2_0043CC0C
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00434D223_2_00434D22
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00426E733_2_00426E73
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00440E203_2_00440E20
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0043CE3B3_2_0043CE3B
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00412F453_2_00412F45
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00452F003_2_00452F00
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00426FAD3_2_00426FAD
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_012EA9303_2_012EA930
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: String function: 002D7DE1 appears 35 times
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: String function: 002F0AE3 appears 70 times
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: String function: 002F8900 appears 42 times
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: String function: 007F0AE3 appears 70 times
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: String function: 007F8900 appears 42 times
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: String function: 004020E7 appears 40 times
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: String function: 007D7DE1 appears 35 times
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: String function: 00401F66 appears 50 times
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: String function: 004338A5 appears 41 times
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: String function: 00433FB0 appears 55 times
                    Source: 8kjlHXmbAY.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: Process Memory Space: bankrupture.exe PID: 5048, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: bankrupture.exe PID: 6392, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: bankrupture.exe PID: 712, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@8/8@0/1
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033A06A GetLastError,FormatMessageW,0_2_0033A06A
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003281CB AdjustTokenPrivileges,CloseHandle,0_2_003281CB
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003287E1
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_008281CB AdjustTokenPrivileges,CloseHandle,2_2_008281CB
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_008287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_008287E1
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,3_2_00416AB7
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0033B333
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0034EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0034EE0D
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003483BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_003483BB
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_002D4E89
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00419BC4
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeFile created: C:\Users\user\AppData\Local\ectosphereJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-R1T905
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeFile created: C:\Users\user\AppData\Local\Temp\aut9ABF.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs"
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 8kjlHXmbAY.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeFile read: C:\Users\user\Desktop\8kjlHXmbAY.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\8kjlHXmbAY.exe "C:\Users\user\Desktop\8kjlHXmbAY.exe"
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeProcess created: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe "C:\Users\user\Desktop\8kjlHXmbAY.exe"
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeProcess created: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe "C:\Users\user\AppData\Local\ectosphere\bankrupture.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe "C:\Users\user\AppData\Local\ectosphere\bankrupture.exe"
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeProcess created: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe "C:\Users\user\Desktop\8kjlHXmbAY.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeProcess created: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe "C:\Users\user\AppData\Local\ectosphere\bankrupture.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe "C:\Users\user\AppData\Local\ectosphere\bankrupture.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00429A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00429A50
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002F8945 push ecx; ret 0_2_002F8958
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007F8945 push ecx; ret 2_2_007F8958
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004567E0 push eax; ret 3_2_004567FE
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0045B9DD push esi; ret 3_2_0045B9E6
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00455EAF push ecx; ret 3_2_00455EC2
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00433FF6 push ecx; ret 3_2_00434009
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00406128 ShellExecuteW,URLDownloadToFileW,3_2_00406128
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeFile created: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,3_2_00419BC4
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002D48D7
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00355376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00355376
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_007D48D7
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00855376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00855376
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002F3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_002F3187
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Delayed program exit found
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0040E54F Sleep,ExitProcess,3_2_0040E54F
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002DC49A rdtsc 0_2_002DC49A
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,3_2_004198C2
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeWindow / User API: threadDelayed 510Jump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeWindow / User API: threadDelayed 8989Jump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeWindow / User API: foregroundWindowGot 1741Jump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-103138
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeAPI coverage: 4.6 %
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeAPI coverage: 4.5 %
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe TID: 6224Thread sleep time: -98000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe TID: 1036Thread sleep time: -1530000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe TID: 1036Thread sleep time: -26967000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0033445A
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033C6D1 FindFirstFileW,FindClose,0_2_0033C6D1
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0033C75C
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0033EF95
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0033F0F2
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0033F3F3
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003337EF
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00333B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00333B12
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0033BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0033BCBC
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_0083445A
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083C6D1 FindFirstFileW,FindClose,2_2_0083C6D1
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0083C75C
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0083EF95
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_0083F0F2
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0083F3F3
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_008337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_008337EF
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00833B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00833B12
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_0083BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0083BCBC
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,3_2_0040B335
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,3_2_0041B42F
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,3_2_0040B53A
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0044D5E9 FindFirstFileExA,3_2_0044D5E9
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,3_2_004089A9
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00406AC2 FindFirstFileW,FindNextFileW,3_2_00406AC2
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,3_2_00407A8C
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,3_2_00418C69
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,3_2_00408DA7
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,3_2_00406F06
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002D49A0
                    Source: teer.0.drBinary or memory string: VMCIYAH
                    Source: bankrupture.exe, 00000008.00000003.2380227439.000000000145C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
                    Source: bankrupture.exe, 00000003.00000002.4674197020.00000000012EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002DC49A rdtsc 0_2_002DC49A
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00343F09 BlockInput,0_2_00343F09
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_002D3B3A
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00305A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00305A7C
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00429A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00429A50
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_014F9786 mov eax, dword ptr fs:[00000030h]0_2_014F9786
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_014F9798 mov eax, dword ptr fs:[00000030h]0_2_014F9798
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_014FADD8 mov eax, dword ptr fs:[00000030h]0_2_014FADD8
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_014FAE38 mov eax, dword ptr fs:[00000030h]0_2_014FAE38
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00FBB060 mov eax, dword ptr fs:[00000030h]2_2_00FBB060
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00FBB000 mov eax, dword ptr fs:[00000030h]2_2_00FBB000
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00FB99C0 mov eax, dword ptr fs:[00000030h]2_2_00FB99C0
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00FB99AE mov eax, dword ptr fs:[00000030h]2_2_00FB99AE
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00442554 mov eax, dword ptr fs:[00000030h]3_2_00442554
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_012E916E mov eax, dword ptr fs:[00000030h]3_2_012E916E
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_012E9180 mov eax, dword ptr fs:[00000030h]3_2_012E9180
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_012EA7C0 mov eax, dword ptr fs:[00000030h]3_2_012EA7C0
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_012EA820 mov eax, dword ptr fs:[00000030h]3_2_012EA820
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003280A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,0_2_003280A9
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002FA124 SetUnhandledExceptionFilter,0_2_002FA124
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002FA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_002FA155
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007FA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_007FA155
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_007FA124 SetUnhandledExceptionFilter,2_2_007FA124
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00434168
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_0043A65D
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00433B44
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 3_2_00433CD7 SetUnhandledExceptionFilter,3_2_00433CD7
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe3_2_00410F36
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_003287B1 LogonUserW,0_2_003287B1
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_002D3B3A
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002D48D7
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00334C27 mouse_event,0_2_00334C27
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\ectosphere\bankrupture.exe "C:\Users\user\AppData\Local\ectosphere\bankrupture.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00327CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00327CAF
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_0032874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0032874B
                    Source: 8kjlHXmbAY.exe, 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmp, bankrupture.exe, 00000002.00000002.2276041187.0000000000884000.00000040.00000001.01000000.00000004.sdmp, bankrupture.exe, 00000003.00000002.4673374422.0000000000884000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: bankrupture.exe, 00000003.00000002.4674277679.000000000136C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0.26:8787
                    Source: bankrupture.exe, 00000003.00000002.4674277679.000000000136C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerineer
                    Source: bankrupture.exe, 00000003.00000002.4674197020.00000000012EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\rivers
                    Source: bankrupture.exe, 00000003.00000002.4674388122.000000000145C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: 8kjlHXmbAY.exe, bankrupture.exeBinary or memory string: Shell_TrayWnd
                    Source: bankrupture.exe, 00000003.00000002.4674277679.000000000136C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\7
                    Source: bankrupture.exe, 00000003.00000002.4674277679.000000000136C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\
                    Source: bankrupture.exe, 00000003.00000002.4674277679.000000000136C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager0.26
                    Source: bankrupture.exe, 00000003.00000002.4674388122.000000000145C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerztS
                    Source: bankrupture.exe, 00000003.00000002.4673994833.000000000125C000.00000004.00000020.00020000.00000000.sdmp, bankrupture.exe, 00000003.00000002.4674197020.00000000012EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: bankrupture.exe, 00000003.00000002.4673994833.000000000127B000.00000004.00000020.00020000.00000000.sdmp, logs.dat.3.drBinary or memory string: [Program Manager]
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002F862B cpuid 0_2_002F862B
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: EnumSystemLocalesW,3_2_004470AE
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: GetLocaleInfoW,3_2_004510BA
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_004511E3
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: GetLocaleInfoW,3_2_004512EA
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_004513B7
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: GetLocaleInfoW,3_2_00447597
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: GetLocaleInfoA,3_2_0040E679
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_00450A7F
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: EnumSystemLocalesW,3_2_00450CF7
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: EnumSystemLocalesW,3_2_00450D42
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: EnumSystemLocalesW,3_2_00450DDD
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_00450E6A
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00304E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00304E87
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00311E06 GetUserNameW,0_2_00311E06
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00303F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00303F3A
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_002D49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002D49A0
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: bankrupture.exe, 00000002.00000003.2240754170.000000000103C000.00000004.00000020.00020000.00000000.sdmp, bankrupture.exe, 00000002.00000003.2240632258.0000000000FBF000.00000004.00000020.00020000.00000000.sdmp, bankrupture.exe, 00000002.00000002.2278410761.000000000103C000.00000004.00000020.00020000.00000000.sdmp, bankrupture.exe, 00000003.00000003.2276875654.000000000136C000.00000004.00000020.00020000.00000000.sdmp, bankrupture.exe, 00000003.00000003.2276581975.00000000012EF000.00000004.00000020.00020000.00000000.sdmp, bankrupture.exe, 00000003.00000002.4674277679.000000000136C000.00000004.00000020.00020000.00000000.sdmp, bankrupture.exe, 00000008.00000003.2379612064.00000000013DE000.00000004.00000020.00020000.00000000.sdmp, bankrupture.exe, 00000008.00000002.2406102574.000000000145C000.00000004.00000020.00020000.00000000.sdmp, bankrupture.exe, 00000008.00000003.2380227439.000000000145C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: msmpeng.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4673994833.000000000125C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674197020.00000000012EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674782285.0000000003FEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2406102574.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674388122.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674277679.000000000136C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 5048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 6392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 712, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Contains functionality to steal Chrome passwords or cookies
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data3_2_0040B21B
                    Contains functionality to steal Firefox passwords or cookies
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\3_2_0040B335
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: \key3.db3_2_0040B335
                    Source: bankrupture.exeBinary or memory string: WIN_81
                    Source: bankrupture.exeBinary or memory string: WIN_XP
                    Source: bankrupture.exeBinary or memory string: WIN_XPe
                    Source: bankrupture.exeBinary or memory string: WIN_VISTA
                    Source: bankrupture.exeBinary or memory string: WIN_7
                    Source: bankrupture.exeBinary or memory string: WIN_8
                    Source: bankrupture.exe, 00000008.00000002.2404955093.0000000000884000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905Jump to behavior
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905Jump to behavior
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.bankrupture.exe.33f0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.bankrupture.exe.3b70000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.bankrupture.exe.2020000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.4673994833.000000000125C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674197020.00000000012EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674782285.0000000003FEF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2406102574.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674388122.000000000145C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.4674277679.000000000136C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 5048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 6392, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: bankrupture.exe PID: 712, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: cmd.exe3_2_00405042
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00346283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00346283
                    Source: C:\Users\user\Desktop\8kjlHXmbAY.exeCode function: 0_2_00346747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00346747
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00846283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00846283
                    Source: C:\Users\user\AppData\Local\ectosphere\bankrupture.exeCode function: 2_2_00846747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00846747

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		2
                    Native API                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		11
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Command and Scripting Interpreter                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		121
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol121
                    Input Capture                    		2
                    Encrypted Channel                    		Exfiltration Over Bluetooth1
                    Defacement
                    Email AddressesDNS ServerDomain Accounts2
                    Service Execution                    		2
                    Valid Accounts                    		1
                    Bypass User Account Control                    		21
                    Obfuscated Files or Information                    		2
                    Credentials In Files                    		1
                    System Service Discovery                    		SMB/Windows Admin Shares3
                    Clipboard Data                    		1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron1
                    Windows Service                    		2
                    Valid Accounts                    		1
                    Software Packing                    		NTDS3
                    File and Directory Discovery                    		Distributed Component Object ModelInput Capture1
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchd2
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		LSA Secrets26
                    System Information Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                    Windows Service                    		1
                    Bypass User Account Control                    		Cached Domain Credentials151
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items22
                    Process Injection                    		1
                    Masquerading                    		DCSync1
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		Proc Filesystem2
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Virtualization/Sandbox Evasion                    		/etc/passwd and /etc/shadow11
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
                    Access Token Manipulation                    		Network Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                    Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd22
                    Process Injection                    		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    8kjlHXmbAY.exe71%ReversingLabsWin32.Backdoor.Remcos
                    8kjlHXmbAY.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\ectosphere\bankrupture.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\ectosphere\bankrupture.exe71%ReversingLabsWin32.Backdoor.Remcos

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    No contacted domains info

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpbankrupture.exefalse
                      		high
                      http://geoplugin.net/json.gp/Cbankrupture.exe, 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, bankrupture.exe, 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, bankrupture.exe, 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, bankrupture.exe, 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, bankrupture.exe, 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        192.210.150.26
                        		unknownUnited States
                        		36352AS-COLOCROSSINGUStrue

                        General Information

                        Joe Sandbox version:42.0.0 Malachite
                        Analysis ID:1588569
                        Start date and time:2025-01-11 02:29:55 +01:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 9m 33s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:14
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:8kjlHXmbAY.exe
                        renamed because original name is a hash value
                        Original Sample Name:199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d.exe
                        Detection:MAL
                        Classification:mal100.rans.troj.spyw.expl.evad.winEXE@8/8@0/1
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 57
                        • Number of non-executed functions: 282
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56
                        • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                        • Report creation exceeded maximum time and may have missing disassembly code information.
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: 8kjlHXmbAY.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        02:31:02AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs
                        20:31:37API Interceptor6467129x Sleep call for process: bankrupture.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        192.210.150.26NssBkEQKsI.exeGet hashmaliciousRemcosBrowse
                          l1QC9H0SNR.exeGet hashmaliciousRemcosBrowse
                            bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                              FACTURA.xlsxGet hashmaliciousRemcosBrowse
                                7056ZCiFdE.exeGet hashmaliciousRemcosBrowse
                                  uIarPolvHR.exeGet hashmaliciousRemcosBrowse
                                    IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                      z49FACTURA-0987678.exeGet hashmaliciousRemcosBrowse
                                        FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                          Rgh99876k7e.exeGet hashmaliciousRemcosBrowse

                                            Domains

                                            No context

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            AS-COLOCROSSINGUSOKkUGRkZV7.exeGet hashmaliciousRemcosBrowse
                                            • 192.3.64.152
                                            NssBkEQKsI.exeGet hashmaliciousRemcosBrowse
                                            • 192.210.150.26
                                            l1QC9H0SNR.exeGet hashmaliciousRemcosBrowse
                                            • 192.210.150.26
                                            MLxloAVuCZ.exeGet hashmaliciousRemcosBrowse
                                            • 192.3.64.152
                                            bwYw3UUfy7.exeGet hashmaliciousRemcosBrowse
                                            • 192.210.150.26
                                            Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                            • 192.3.27.144
                                            Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                            • 192.3.27.144
                                            Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                            • 192.3.27.144
                                            sh4.elfGet hashmaliciousMiraiBrowse
                                            • 23.95.117.229
                                            sweetnessgoodforgreatnessthingswithgood.tIF.vbsGet hashmaliciousSmokeLoaderBrowse
                                            • 192.3.27.144

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\remcos\logs.dat

                                            Download File
                                            Process:C:\Users\user\AppData\Local\ectosphere\bankrupture.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):3.372193214916272
                                            Encrypted:false
                                            SSDEEP:3:rglsOlfXlndlfTlFi5JWRal2Jl+7R0DAlBG4moojklovDl6v:Mls6no5YcIeeDAlS1gWAv
                                            MD5:86E233BCB693849E583F529B437F701C
                                            SHA1:CD1108BAA3030D416F90B161DB9379409988927B
                                            SHA-256:1C7881173FDD297CEA77DB31C732ACE7307FA6BD2A436C05F695D3CFECABAE6F
                                            SHA-512:EEC7A43BE7FE4916549ACA142E078909C1D624CEDA6CE5BADC60253825E5CF72C25198B605D33CA9B5320776583F10D893E2674A8E244E1C498BDFE9156EB1A4
                                            Malicious:true
                                            Yara Hits:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                            Reputation:low
                                            Preview:....[.2.0.2.5./.0.1./.1.0. .2.0.:.3.1.:.0.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                            C:\Users\user\AppData\Local\Temp\aut9ABF.tmp

                                            Download File
                                            Process:C:\Users\user\Desktop\8kjlHXmbAY.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):429886
                                            Entropy (8bit):7.975798750489699
                                            Encrypted:false
                                            SSDEEP:12288:JH2xVZcyDiOCfp0pBFervkfysMmscsDgVv:cZNDicClsMWv
                                            MD5:A9A0E5250052A7C19D3272E47DBF1F2D
                                            SHA1:19D121B655A3802195D307C0431F84CEB9042D7B
                                            SHA-256:2CB6C8E181DD25247599136ADA37C8CFC64BDC5B073A236524A97182BA8FC720
                                            SHA-512:8427FF93F6F6F7849BE19E9DD93418067FE7E4DA271E7E694A37FEAB606803A3A031979838C55551B0C7D590E5959CBB53A8DDFEDEE36494769FAE7DBC1E2D4B
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06......x.z.2.J...T...I..j..]..W.R&.JE..G.......N..i .....f.M..2.E....a-....g...s...u(..dR...]Y.I.6....G.W.r...-...$.....A.P-`....<Y_.;)..@=.?.?..../..%.....;..............v..&3{i..7.x6k}...x....qh.. .....{@..........8vWA...xu.6.c..8+.k....pV...?....Hj......Q.]....T&2...`....2.K.M...l..I..j.....7.R*.#...pD......7..i.j`..M..@M1..)...LRh..J.$.8.2.J...?1Y.P.OR...T.}^.H...[>Z..J..*T....I...|`....T.U@....1...x.....p>....C..' ..R.P.......c4.P.~>.L.Q..%3i4....U@?1...)..0...... ..D.}..8$10...1........3...x.=.MC........'...p`..T........k1..%.P....Ri0....J...!.z.(........?..V.v...."...@......J.}=s..&........C..h)..]....v-...~MG...i-..[..x^..t.N/.J.W..\*X...Ws.Mj.....W.C#.zD{/-..}.xD.u...r.Mf!1...J.G.^bt}]..J....HE;W_....G.;i..;..=../.."..<..K....:N2{..Q...."i\.J.4}^..I..?.-..I..s.\..:..;.k}....I..:|"+H..-..Mv.\.Q....im.....%3{....R....I..nS*\....].sM.j.G...rxT.u.Shq.U~....aU}.z74.K.r.53{<.M*Q.w....Mw..-..?..n3M.....e...t....j.6`..!+.. .0...#.D.Z{.r.M.I.....

                                            C:\Users\user\AppData\Local\Temp\autA85C.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\ectosphere\bankrupture.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):429886
                                            Entropy (8bit):7.975798750489699
                                            Encrypted:false
                                            SSDEEP:12288:JH2xVZcyDiOCfp0pBFervkfysMmscsDgVv:cZNDicClsMWv
                                            MD5:A9A0E5250052A7C19D3272E47DBF1F2D
                                            SHA1:19D121B655A3802195D307C0431F84CEB9042D7B
                                            SHA-256:2CB6C8E181DD25247599136ADA37C8CFC64BDC5B073A236524A97182BA8FC720
                                            SHA-512:8427FF93F6F6F7849BE19E9DD93418067FE7E4DA271E7E694A37FEAB606803A3A031979838C55551B0C7D590E5959CBB53A8DDFEDEE36494769FAE7DBC1E2D4B
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06......x.z.2.J...T...I..j..]..W.R&.JE..G.......N..i .....f.M..2.E....a-....g...s...u(..dR...]Y.I.6....G.W.r...-...$.....A.P-`....<Y_.;)..@=.?.?..../..%.....;..............v..&3{i..7.x6k}...x....qh.. .....{@..........8vWA...xu.6.c..8+.k....pV...?....Hj......Q.]....T&2...`....2.K.M...l..I..j.....7.R*.#...pD......7..i.j`..M..@M1..)...LRh..J.$.8.2.J...?1Y.P.OR...T.}^.H...[>Z..J..*T....I...|`....T.U@....1...x.....p>....C..' ..R.P.......c4.P.~>.L.Q..%3i4....U@?1...)..0...... ..D.}..8$10...1........3...x.=.MC........'...p`..T........k1..%.P....Ri0....J...!.z.(........?..V.v...."...@......J.}=s..&........C..h)..]....v-...~MG...i-..[..x^..t.N/.J.W..\*X...Ws.Mj.....W.C#.zD{/-..}.xD.u...r.Mf!1...J.G.^bt}]..J....HE;W_....G.;i..;..=../.."..<..K....:N2{..Q...."i\.J.4}^..I..?.-..I..s.\..:..;.k}....I..:|"+H..-..Mv.\.Q....im.....%3{....R....I..nS*\....].sM.j.G...rxT.u.Shq.U~....aU}.z74.K.r.53{<.M*Q.w....Mw..-..?..n3M.....e...t....j.6`..!+.. .0...#.D.Z{.r.M.I.....

                                            C:\Users\user\AppData\Local\Temp\autB77F.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\ectosphere\bankrupture.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):429886
                                            Entropy (8bit):7.975798750489699
                                            Encrypted:false
                                            SSDEEP:12288:JH2xVZcyDiOCfp0pBFervkfysMmscsDgVv:cZNDicClsMWv
                                            MD5:A9A0E5250052A7C19D3272E47DBF1F2D
                                            SHA1:19D121B655A3802195D307C0431F84CEB9042D7B
                                            SHA-256:2CB6C8E181DD25247599136ADA37C8CFC64BDC5B073A236524A97182BA8FC720
                                            SHA-512:8427FF93F6F6F7849BE19E9DD93418067FE7E4DA271E7E694A37FEAB606803A3A031979838C55551B0C7D590E5959CBB53A8DDFEDEE36494769FAE7DBC1E2D4B
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06......x.z.2.J...T...I..j..]..W.R&.JE..G.......N..i .....f.M..2.E....a-....g...s...u(..dR...]Y.I.6....G.W.r...-...$.....A.P-`....<Y_.;)..@=.?.?..../..%.....;..............v..&3{i..7.x6k}...x....qh.. .....{@..........8vWA...xu.6.c..8+.k....pV...?....Hj......Q.]....T&2...`....2.K.M...l..I..j.....7.R*.#...pD......7..i.j`..M..@M1..)...LRh..J.$.8.2.J...?1Y.P.OR...T.}^.H...[>Z..J..*T....I...|`....T.U@....1...x.....p>....C..' ..R.P.......c4.P.~>.L.Q..%3i4....U@?1...)..0...... ..D.}..8$10...1........3...x.=.MC........'...p`..T........k1..%.P....Ri0....J...!.z.(........?..V.v...."...@......J.}=s..&........C..h)..]....v-...~MG...i-..[..x^..t.N/.J.W..\*X...Ws.Mj.....W.C#.zD{/-..}.xD.u...r.Mf!1...J.G.^bt}]..J....HE;W_....G.;i..;..=../.."..<..K....:N2{..Q...."i\.J.4}^..I..?.-..I..s.\..:..;.k}....I..:|"+H..-..Mv.\.Q....im.....%3{....R....I..nS*\....].sM.j.G...rxT.u.Shq.U~....aU}.z74.K.r.53{<.M*Q.w....Mw..-..?..n3M.....e...t....j.6`..!+.. .0...#.D.Z{.r.M.I.....

                                            C:\Users\user\AppData\Local\Temp\autDF0C.tmp

                                            Download File
                                            Process:C:\Users\user\AppData\Local\ectosphere\bankrupture.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):429886
                                            Entropy (8bit):7.975798750489699
                                            Encrypted:false
                                            SSDEEP:12288:JH2xVZcyDiOCfp0pBFervkfysMmscsDgVv:cZNDicClsMWv
                                            MD5:A9A0E5250052A7C19D3272E47DBF1F2D
                                            SHA1:19D121B655A3802195D307C0431F84CEB9042D7B
                                            SHA-256:2CB6C8E181DD25247599136ADA37C8CFC64BDC5B073A236524A97182BA8FC720
                                            SHA-512:8427FF93F6F6F7849BE19E9DD93418067FE7E4DA271E7E694A37FEAB606803A3A031979838C55551B0C7D590E5959CBB53A8DDFEDEE36494769FAE7DBC1E2D4B
                                            Malicious:false
                                            Reputation:low
                                            Preview:EA06......x.z.2.J...T...I..j..]..W.R&.JE..G.......N..i .....f.M..2.E....a-....g...s...u(..dR...]Y.I.6....G.W.r...-...$.....A.P-`....<Y_.;)..@=.?.?..../..%.....;..............v..&3{i..7.x6k}...x....qh.. .....{@..........8vWA...xu.6.c..8+.k....pV...?....Hj......Q.]....T&2...`....2.K.M...l..I..j.....7.R*.#...pD......7..i.j`..M..@M1..)...LRh..J.$.8.2.J...?1Y.P.OR...T.}^.H...[>Z..J..*T....I...|`....T.U@....1...x.....p>....C..' ..R.P.......c4.P.~>.L.Q..%3i4....U@?1...)..0...... ..D.}..8$10...1........3...x.=.MC........'...p`..T........k1..%.P....Ri0....J...!.z.(........?..V.v...."...@......J.}=s..&........C..h)..]....v-...~MG...i-..[..x^..t.N/.J.W..\*X...Ws.Mj.....W.C#.zD{/-..}.xD.u...r.Mf!1...J.G.^bt}]..J....HE;W_....G.;i..;..=../.."..<..K....:N2{..Q...."i\.J.4}^..I..?.-..I..s.\..:..;.k}....I..:|"+H..-..Mv.\.Q....im.....%3{....R....I..nS*\....].sM.j.G...rxT.u.Shq.U~....aU}.z74.K.r.53{<.M*Q.w....Mw..-..?..n3M.....e...t....j.6`..!+.. .0...#.D.Z{.r.M.I.....

                                            C:\Users\user\AppData\Local\Temp\teer

                                            Download File
                                            Process:C:\Users\user\Desktop\8kjlHXmbAY.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):492544
                                            Entropy (8bit):7.67718671619172
                                            Encrypted:false
                                            SSDEEP:12288:PvfRxY8MNdyNmAfFEzSawPhQH7m+IHECU8cZpuudTCM/:PBxY76mAfFZadbKW8cZMudb
                                            MD5:BD289FA20B842C995C4616D9CF521DF5
                                            SHA1:6D85A647C2995355869131522CA6C3F087DB187A
                                            SHA-256:686DEAE06FA39D9D353C1433D1C43A360877631186A36FF92BB29C3914D6238E
                                            SHA-512:2004F457EA076B9E7243388AE1132790BE023636BE70C9161B38954AEF6E27E2049EC87C5AF7205A60964CC08BF9E968D9DA71307A462C168F3BEA7ADE302BE7
                                            Malicious:false
                                            Reputation:low
                                            Preview:...G@LUJK7RH..CI.5U1KFMW.H44HGTGCLUJO7RHMNCII5U1KFMWRH44HGTGKMUJA(.FM.J.h.T}.g.?;;.D:(35"!u).Y<'9n!,iG _k/#w..g.%(0"mAX@k7RHMNCI...............O.}.....A.i.Z}..G.f......w......i.L..............h.......l.......~...}..........[f......\.t.....Z........!W\....CLUJO7RH..CI.4P1 .i0RH44HGTG.LWKD6\XM.FII.W1KFMWhs74HWTGC<PJO7.HM^CII7U1NFLWRH44MGUGCLUJO.UHMJCII5U1IFM.RH$4HWTGCLEJO'RHMNCIY5U1KFMWRH44h.RGGMUJOWUH..CII5U1KFMWRH44HGTGC.RJ..RH].EIq5U1KFMWRH44HGTGCLUJ..THUNCI..S1.FMWRH44HGTGC<PJ.3RHMNCII5U1KFMWRH44HGTGCLUJaC709NCITjP1KVMWR(14HCTGCLUJO7RHMNCIi5UQe4)6&)44H.UGC<PJO.SHM*FII5U1KFMWRH44.GT.m(4>.7RH!.CII5R1KHMWR.24HGTGCLUJO7RH.NC.gG&C(FMW..44H'SGC.UJO.THMNCII5U1KFMW.H4tf51+,/UJ..RHM.DII.U1K.JWRH44HGTGCLUJ.7R.MNCII5U1KFMWRH44HGTGCLUJO7RHMNCII5U1KFMWRH44HGTGCLUJO7RHMNCII5U1KFMWRH44HGTGCLUJO7RHMNCII5U1KFMWRH44HGTGCLUJO7RHMNCII5U1KFMWRH44HGTGCLUJO7RHMNCII5U1KFMWRH44HGTGCLUJO7RHMNCII5U1KFMWRH44HGTGCLUJO7RHMNCII5U1KFMWRH44HGTGCLUJO7RHMNCII5U1KFMWRH44HGTGCLUJO7RHMNCII5U1KFMWRH44HGTGCLUJO7RHMNCII5U1

                                            C:\Users\user\AppData\Local\ectosphere\bankrupture.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\8kjlHXmbAY.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                            Category:dropped
                                            Size (bytes):883712
                                            Entropy (8bit):7.965059355400651
                                            Encrypted:false
                                            SSDEEP:24576:Krl6kD68JmlotQfnkSjkpoftUXoBmZieeiftIZpr:4l328U2yfnrQaZoZiEFIZp
                                            MD5:57F7D9095490A4AADDA9E261FEC73A68
                                            SHA1:45E51F97ABC52DD29E65D7EC78E18EE8D1721867
                                            SHA-256:199AB84D301B4914A7EB23A40A575E2622928E58D3672DA79E43C77E453C4A3D
                                            SHA-512:80512A3188E69746425F828E394A0BF9EA6B50B4DDA5B5F0B819248610D58D6FBD7862F29D42266F473515E60EADB2B5038C3EE9F7F9B26BB0A22981552F1810
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 71%
                                            Reputation:low
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L... .Pg.........."......`... ...0..P....@........@.......................................@...@.......@.....................p...$.......p...........................................................4...H...........................................UPX0.....0..............................UPX1.....`...@...^..................@....rsrc.... ...........b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs

                                            Download File
                                            Process:C:\Users\user\AppData\Local\ectosphere\bankrupture.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):290
                                            Entropy (8bit):3.3788356634696783
                                            Encrypted:false
                                            SSDEEP:6:DMM8lfm3OOQdUfclzXUEZ+lX1AlMZ+DA6dnriIM8lfQVn:DsO+vNlDQ1AlQ+MMmA2n
                                            MD5:81E716278BAE3DD53BD95DD2173CA48E
                                            SHA1:BE61CDBA80BBF73D9DE4C19C5BB7217EF5DE2D06
                                            SHA-256:A606B0EE745E34B034DE70BB8E20B576A0D26F2DB915BE2FE64FFE2C6C9B31E7
                                            SHA-512:88CF7A63C021DFEE8F3AA7C04EC10C21094677D4A43FEC661AE04F39DAD1166D6B0480023DB426F6F122E8C22D5C2B8EACC6F4ACC24213DB8B9308AC0FF83973
                                            Malicious:true
                                            Reputation:low
                                            Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.e.c.t.o.s.p.h.e.r.e.\.b.a.n.k.r.u.p.t.u.r.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                            Entropy (8bit):7.965059355400651
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.39%
                                            • UPX compressed Win32 Executable (30571/9) 0.30%
                                            • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            File name:8kjlHXmbAY.exe
                                            File size:883'712 bytes
                                            MD5:57f7d9095490a4aadda9e261fec73a68
                                            SHA1:45e51f97abc52dd29e65d7ec78e18ee8d1721867
                                            SHA256:199ab84d301b4914a7eb23a40a575e2622928e58d3672da79e43c77e453c4a3d
                                            SHA512:80512a3188e69746425f828e394a0bf9ea6b50b4dda5b5f0b819248610d58d6fbd7862f29d42266f473515e60eadb2b5038c3ee9f7f9b26bb0a22981552f1810
                                            SSDEEP:24576:Krl6kD68JmlotQfnkSjkpoftUXoBmZieeiftIZpr:4l328U2yfnrQaZoZiEFIZp
                                            TLSH:7115238A06D19963C254577080BDDD645E7874739ECA7B9EC36AE71BEC30307AC0AB4D
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                            File Icon

                                            Icon Hash:aaf3e3e3938382a0

                                            Static PE Info

                                            General

                                            Entrypoint:0x559a50
                                            Entrypoint Section:UPX1
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x6750F820 [Thu Dec 5 00:47:28 2024 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:5
                                            OS Version Minor:1
                                            File Version Major:5
                                            File Version Minor:1
                                            Subsystem Version Major:5
                                            Subsystem Version Minor:1
                                            Import Hash:fc6683d30d9f25244a50fd5357825e79

                                            Entrypoint Preview

                                            Instruction
                                            pushad
                                            mov esi, 00504000h
                                            lea edi, dword ptr [esi-00103000h]
                                            push edi
                                            jmp 00007FAA38E35B4Dh
                                            nop
                                            mov al, byte ptr [esi]
                                            inc esi
                                            mov byte ptr [edi], al
                                            inc edi
                                            add ebx, ebx
                                            jne 00007FAA38E35B49h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007FAA38E35B2Fh
                                            mov eax, 00000001h
                                            add ebx, ebx
                                            jne 00007FAA38E35B49h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc eax, eax
                                            add ebx, ebx
                                            jnc 00007FAA38E35B4Dh
                                            jne 00007FAA38E35B6Ah
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007FAA38E35B61h
                                            dec eax
                                            add ebx, ebx
                                            jne 00007FAA38E35B49h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc eax, eax
                                            jmp 00007FAA38E35B16h
                                            add ebx, ebx
                                            jne 00007FAA38E35B49h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc ecx, ecx
                                            jmp 00007FAA38E35B94h
                                            xor ecx, ecx
                                            sub eax, 03h
                                            jc 00007FAA38E35B53h
                                            shl eax, 08h
                                            mov al, byte ptr [esi]
                                            inc esi
                                            xor eax, FFFFFFFFh
                                            je 00007FAA38E35BB7h
                                            sar eax, 1
                                            mov ebp, eax
                                            jmp 00007FAA38E35B4Dh
                                            add ebx, ebx
                                            jne 00007FAA38E35B49h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007FAA38E35B0Eh
                                            inc ecx
                                            add ebx, ebx
                                            jne 00007FAA38E35B49h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jc 00007FAA38E35B00h
                                            add ebx, ebx
                                            jne 00007FAA38E35B49h
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            adc ecx, ecx
                                            add ebx, ebx
                                            jnc 00007FAA38E35B31h
                                            jne 00007FAA38E35B4Bh
                                            mov ebx, dword ptr [esi]
                                            sub esi, FFFFFFFCh
                                            adc ebx, ebx
                                            jnc 00007FAA38E35B26h
                                            add ecx, 02h
                                            cmp ebp, FFFFFB00h
                                            adc ecx, 02h
                                            lea edx, dword ptr [edi+ebp]
                                            cmp ebp, FFFFFFFCh
                                            jbe 00007FAA38E35B50h
                                            mov al, byte ptr [edx]

                                            Rich Headers

                                            Programming Language:
                                            • [ASM] VS2013 build 21005
                                            • [ C ] VS2013 build 21005
                                            • [C++] VS2013 build 21005
                                            • [ C ] VS2008 SP1 build 30729
                                            • [IMP] VS2008 SP1 build 30729
                                            • [ASM] VS2013 UPD4 build 31101
                                            • [RES] VS2013 build 21005
                                            • [LNK] VS2013 UPD4 build 31101

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1db5700x424.rsrc
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x15a0000x81570.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1db9940xc.rsrc
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x159c340x48UPX1
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            UPX00x10000x1030000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            UPX10x1040000x560000x55e009a5ee3a0c86f199bf122a550c0a65f3cFalse0.9871241584788938data7.935458009975686IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x15a0000x820000x81a008b3caa2c8cfbffabd42a74ba70e0b5d7False0.961195530978785data7.960290229125983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x15a5ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                            RT_ICON0x15a6d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                            RT_ICON0x15a8040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                            RT_ICON0x15a9300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                            RT_ICON0x15ac1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                            RT_ICON0x15ad480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                            RT_ICON0x15bbf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                            RT_ICON0x15c4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                            RT_ICON0x15ca0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                            RT_ICON0x15efb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                            RT_ICON0x1600640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                            RT_MENU0xcd4a00x50emptyEnglishGreat Britain0
                                            RT_STRING0xcd4f00x594emptyEnglishGreat Britain0
                                            RT_STRING0xcda840x68aemptyEnglishGreat Britain0
                                            RT_STRING0xce1100x490emptyEnglishGreat Britain0
                                            RT_STRING0xce5a00x5fcemptyEnglishGreat Britain0
                                            RT_STRING0xceb9c0x65cemptyEnglishGreat Britain0
                                            RT_STRING0xcf1f80x466emptyEnglishGreat Britain0
                                            RT_STRING0xcf6600x158emptyEnglishGreat Britain0
                                            RT_RCDATA0x1604d00x7ab07data1.0003203756952253
                                            RT_GROUP_ICON0x1dafdc0x76dataEnglishGreat Britain0.6610169491525424
                                            RT_GROUP_ICON0x1db0580x14dataEnglishGreat Britain1.25
                                            RT_GROUP_ICON0x1db0700x14dataEnglishGreat Britain1.15
                                            RT_GROUP_ICON0x1db0880x14dataEnglishGreat Britain1.25
                                            RT_VERSION0x1db0a00xdcdataEnglishGreat Britain0.6181818181818182
                                            RT_MANIFEST0x1db1800x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                            Imports

                                            DLLImport
                                            KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                            ADVAPI32.dllGetAce
                                            COMCTL32.dllImageList_Remove
                                            COMDLG32.dllGetOpenFileNameW
                                            GDI32.dllLineTo
                                            IPHLPAPI.DLLIcmpSendEcho
                                            MPR.dllWNetUseConnectionW
                                            ole32.dllCoGetObject
                                            OLEAUT32.dllVariantInit
                                            PSAPI.DLLGetProcessMemoryInfo
                                            SHELL32.dllDragFinish
                                            USER32.dllGetDC
                                            USERENV.dllLoadUserProfileW
                                            UxTheme.dllIsThemeActive
                                            VERSION.dllVerQueryValueW
                                            WININET.dllFtpOpenFileW
                                            WINMM.dlltimeGetTime
                                            WSOCK32.dllconnect

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishGreat Britain

                                            Network Behavior

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 11, 2025 02:31:05.443278074 CET497828787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:05.448179960 CET878749782192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:05.448256016 CET497828787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:05.448780060 CET497828787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:05.453670979 CET878749782192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:06.890799999 CET878749782192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:06.890921116 CET497828787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:06.891053915 CET497828787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:06.895842075 CET878749782192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:07.906284094 CET498018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:07.911159992 CET878749801192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:07.911242962 CET498018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:07.911781073 CET498018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:07.916536093 CET878749801192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:09.325340986 CET878749801192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:09.325407982 CET498018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:09.325465918 CET498018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:09.330249071 CET878749801192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:10.328095913 CET498208787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:10.333106041 CET878749820192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:10.333194971 CET498208787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:10.333868027 CET498208787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:10.338762999 CET878749820192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:11.746443033 CET878749820192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:11.746496916 CET498208787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:11.746551991 CET498208787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:11.751339912 CET878749820192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:12.751195908 CET498388787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:12.756186008 CET878749838192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:12.756263971 CET498388787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:12.760293961 CET498388787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:12.765038013 CET878749838192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:14.206666946 CET878749838192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:14.206845999 CET498388787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:14.206845999 CET498388787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:14.212770939 CET878749838192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:15.232902050 CET498568787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:15.237791061 CET878749856192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:15.239298105 CET498568787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:15.242943048 CET498568787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:15.247849941 CET878749856192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:16.634737968 CET878749856192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:16.634871960 CET498568787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:16.634871960 CET498568787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:16.640024900 CET878749856192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:17.640490055 CET498728787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:17.645831108 CET878749872192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:17.645927906 CET498728787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:17.646338940 CET498728787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:17.651753902 CET878749872192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:19.081588030 CET878749872192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:19.081728935 CET498728787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:19.081728935 CET498728787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:19.087420940 CET878749872192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:20.093764067 CET498858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:20.098577023 CET878749885192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:20.098670006 CET498858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:20.099066973 CET498858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:20.103809118 CET878749885192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:21.510458946 CET878749885192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:21.510524035 CET498858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:21.510757923 CET498858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:21.515600920 CET878749885192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:22.515481949 CET499038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:22.520339966 CET878749903192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:22.520416975 CET499038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:22.520833969 CET499038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:22.525696039 CET878749903192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:23.936595917 CET878749903192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:23.936686039 CET499038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:23.936708927 CET499038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:23.941669941 CET878749903192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:24.953735113 CET499218787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:24.958616018 CET878749921192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:24.959445000 CET499218787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:24.959933996 CET499218787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:24.964756966 CET878749921192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:26.372728109 CET878749921192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:26.372837067 CET499218787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:26.372912884 CET499218787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:26.377676010 CET878749921192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:27.375582933 CET499368787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:27.380577087 CET878749936192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:27.380748034 CET499368787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:27.381299973 CET499368787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:27.386878967 CET878749936192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:28.796571970 CET878749936192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:28.796700001 CET499368787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:28.796827078 CET499368787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:28.801568985 CET878749936192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:29.812242985 CET499538787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:29.817125082 CET878749953192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:29.817215919 CET499538787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:29.817564964 CET499538787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:29.822354078 CET878749953192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:31.212498903 CET878749953192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:31.212729931 CET499538787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:31.212730885 CET499538787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:31.217607021 CET878749953192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:32.219357014 CET499698787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:32.224205971 CET878749969192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:32.224471092 CET499698787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:32.224767923 CET499698787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:32.229607105 CET878749969192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:33.638323069 CET878749969192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:33.638384104 CET499698787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:33.639216900 CET499698787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:33.644052029 CET878749969192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:34.640851021 CET499858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:34.645917892 CET878749985192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:34.646051884 CET499858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:34.646533966 CET499858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:34.651467085 CET878749985192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:36.083566904 CET878749985192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:36.083642006 CET499858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:36.083688021 CET499858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:36.088496923 CET878749985192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:37.093815088 CET499958787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:37.100142002 CET878749995192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:37.100271940 CET499958787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:37.100692987 CET499958787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:37.106862068 CET878749995192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:38.554140091 CET878749995192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:38.554203987 CET499958787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:38.554240942 CET499958787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:38.559175014 CET878749995192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:39.562460899 CET499968787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:39.568579912 CET878749996192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:39.568670988 CET499968787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:39.569042921 CET499968787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:39.573808908 CET878749996192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:40.984052896 CET878749996192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:40.984247923 CET499968787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:40.986114025 CET499968787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:40.990977049 CET878749996192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:41.999903917 CET499978787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:42.005130053 CET878749997192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:42.005239964 CET499978787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:42.005588055 CET499978787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:42.010392904 CET878749997192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:43.418291092 CET878749997192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:43.418432951 CET499978787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:43.419266939 CET499978787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:43.424079895 CET878749997192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:44.421997070 CET499988787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:44.426959038 CET878749998192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:44.427081108 CET499988787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:44.427696943 CET499988787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:44.432574987 CET878749998192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:45.822895050 CET878749998192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:45.823074102 CET499988787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:45.823206902 CET499988787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:45.827931881 CET878749998192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:46.828926086 CET499998787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:46.834111929 CET878749999192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:46.834250927 CET499998787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:46.834826946 CET499998787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:46.839793921 CET878749999192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:48.248053074 CET878749999192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:48.248204947 CET499998787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:48.248236895 CET499998787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:48.254009008 CET878749999192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:49.250148058 CET500018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:49.255100965 CET878750001192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:49.255187988 CET500018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:49.255614996 CET500018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:49.260386944 CET878750001192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:50.667773962 CET878750001192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:50.667974949 CET500018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:50.667975903 CET500018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:50.672908068 CET878750001192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:51.671916962 CET500028787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:51.676836967 CET878750002192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:51.676939964 CET500028787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:51.677427053 CET500028787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:51.682259083 CET878750002192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:53.094279051 CET878750002192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:53.094338894 CET500028787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:53.094409943 CET500028787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:53.099396944 CET878750002192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:54.109431982 CET500038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:54.114274025 CET878750003192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:54.114346027 CET500038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:54.114795923 CET500038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:54.119546890 CET878750003192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:55.530018091 CET878750003192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:55.530141115 CET500038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:55.530141115 CET500038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:55.537374973 CET878750003192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:56.531244040 CET500048787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:56.536156893 CET878750004192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:56.536295891 CET500048787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:56.536864042 CET500048787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:56.541657925 CET878750004192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:57.933216095 CET878750004192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:57.933377981 CET500048787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:57.933599949 CET500048787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:57.938385963 CET878750004192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:58.937485933 CET500058787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:58.942343950 CET878750005192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:31:58.942434072 CET500058787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:58.942851067 CET500058787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:31:58.947587967 CET878750005192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:00.337548971 CET878750005192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:00.337652922 CET500058787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:00.340562105 CET500058787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:00.345366955 CET878750005192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:01.344080925 CET500068787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:01.349277020 CET878750006192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:01.349711895 CET500068787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:01.350208998 CET500068787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:01.355128050 CET878750006192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:02.800870895 CET878750006192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:02.801162958 CET500068787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:02.824250937 CET500068787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:02.829184055 CET878750006192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:03.843662977 CET500078787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:03.848586082 CET878750007192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:03.848659992 CET500078787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:03.849169970 CET500078787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:03.854012966 CET878750007192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:05.267805099 CET878750007192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:05.267920971 CET500078787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:05.268132925 CET500078787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:05.273535013 CET878750007192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:06.281380892 CET500098787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:06.286461115 CET878750009192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:06.286549091 CET500098787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:06.286957979 CET500098787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:06.291737080 CET878750009192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:07.681946039 CET878750009192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:07.685307980 CET500098787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:07.685358047 CET500098787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:07.690239906 CET878750009192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:08.687529087 CET500108787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:08.692620039 CET878750010192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:08.692846060 CET500108787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:08.693265915 CET500108787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:08.698165894 CET878750010192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:10.108612061 CET878750010192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:10.108762026 CET500108787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:10.108968019 CET500108787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:10.113759995 CET878750010192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:11.124943018 CET500118787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:11.129875898 CET878750011192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:11.129954100 CET500118787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:11.130316973 CET500118787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:11.135129929 CET878750011192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:12.547899008 CET878750011192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:12.547990084 CET500118787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:12.547991037 CET500118787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:12.552949905 CET878750011192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:13.562333107 CET500138787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:13.567286968 CET878750013192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:13.567385912 CET500138787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:13.567840099 CET500138787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:13.572633028 CET878750013192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:14.964373112 CET878750013192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:14.964500904 CET500138787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:14.964500904 CET500138787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:14.969661951 CET878750013192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:15.968868017 CET500148787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:15.973895073 CET878750014192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:15.973993063 CET500148787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:15.974430084 CET500148787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:15.979259014 CET878750014192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:17.391381979 CET878750014192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:17.391480923 CET500148787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:17.391515017 CET500148787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:17.396279097 CET878750014192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:18.406368971 CET500158787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:18.411289930 CET878750015192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:18.411609888 CET500158787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:18.411873102 CET500158787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:18.416600943 CET878750015192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:19.827488899 CET878750015192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:19.827593088 CET500158787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:19.827625990 CET500158787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:19.832462072 CET878750015192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:20.844260931 CET500168787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:20.849445105 CET878750016192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:20.852811098 CET500168787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:20.853112936 CET500168787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:20.857907057 CET878750016192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:22.261995077 CET878750016192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:22.265347958 CET500168787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:22.265423059 CET500168787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:22.270277977 CET878750016192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:23.281440973 CET500178787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:23.287729979 CET878750017192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:23.287843943 CET500178787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:23.288256884 CET500178787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:23.294377089 CET878750017192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:24.721637964 CET878750017192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:24.721777916 CET500178787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:24.721777916 CET500178787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:24.726747990 CET878750017192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:25.703725100 CET500188787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:25.708801985 CET878750018192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:25.711591005 CET500188787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:25.711687088 CET500188787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:25.716501951 CET878750018192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:27.160671949 CET878750018192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:27.160907984 CET500188787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:27.160907984 CET500188787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:27.165733099 CET878750018192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:28.110068083 CET500198787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:28.114895105 CET878750019192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:28.115014076 CET500198787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:28.115360975 CET500198787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:28.120119095 CET878750019192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:29.510627031 CET878750019192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:29.510708094 CET500198787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:29.510795116 CET500198787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:29.515608072 CET878750019192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:30.422463894 CET500208787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:30.427361965 CET878750020192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:30.427472115 CET500208787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:30.427963972 CET500208787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:30.432796955 CET878750020192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:31.822478056 CET878750020192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:31.822599888 CET500208787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:31.822599888 CET500208787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:31.827421904 CET878750020192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:32.703205109 CET500228787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:32.708473921 CET878750022192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:32.708565950 CET500228787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:32.708872080 CET500228787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:32.713644028 CET878750022192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:34.124792099 CET878750022192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:34.124883890 CET500228787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:34.124943972 CET500228787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:34.129708052 CET878750022192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:34.984474897 CET500238787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:34.989445925 CET878750023192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:34.989747047 CET500238787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:34.989856958 CET500238787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:34.994628906 CET878750023192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:36.387859106 CET878750023192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:36.387989044 CET500238787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:36.388056993 CET500238787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:36.394009113 CET878750023192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:37.219913960 CET500248787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:37.226203918 CET878750024192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:37.226311922 CET500248787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:37.226732969 CET500248787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:37.232707024 CET878750024192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:38.640338898 CET878750024192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:38.640443087 CET500248787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:38.640542030 CET500248787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:38.645446062 CET878750024192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:39.437593937 CET500258787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:39.442998886 CET878750025192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:39.445318937 CET500258787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:39.445626974 CET500258787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:39.450470924 CET878750025192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:40.856079102 CET878750025192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:40.856146097 CET500258787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:40.856180906 CET500258787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:40.860977888 CET878750025192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:41.624965906 CET500268787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:41.629837036 CET878750026192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:41.630450964 CET500268787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:41.630752087 CET500268787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:41.635555029 CET878750026192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:43.027858019 CET878750026192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:43.027960062 CET500268787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:43.028002024 CET500268787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:43.033405066 CET878750026192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:43.781287909 CET500278787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:43.788393021 CET878750027192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:43.788471937 CET500278787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:43.788801908 CET500278787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:43.795617104 CET878750027192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:45.199796915 CET878750027192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:45.199887991 CET500278787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:45.199954987 CET500278787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:45.204706907 CET878750027192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:45.921901941 CET500288787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:45.926898003 CET878750028192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:45.926995993 CET500288787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:45.927335978 CET500288787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:45.932130098 CET878750028192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:47.323331118 CET878750028192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:47.327507973 CET500288787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:47.327508926 CET500288787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:47.332386017 CET878750028192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:48.032655001 CET500298787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:48.037554026 CET878750029192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:48.037658930 CET500298787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:48.037976027 CET500298787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:48.042800903 CET878750029192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:49.432962894 CET878750029192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:49.433057070 CET500298787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:49.433094025 CET500298787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:49.438623905 CET878750029192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:50.109514952 CET500308787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:50.114439964 CET878750030192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:50.114520073 CET500308787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:50.114842892 CET500308787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:50.119623899 CET878750030192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:51.510736942 CET878750030192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:51.510945082 CET500308787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:51.510946035 CET500308787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:51.515872002 CET878750030192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:52.160557985 CET500318787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:52.165685892 CET878750031192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:52.166321993 CET500318787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:52.166841984 CET500318787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:52.171664953 CET878750031192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:53.597646952 CET878750031192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:53.597762108 CET500318787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:53.597831964 CET500318787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:53.602596998 CET878750031192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:54.234391928 CET500328787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:54.239367008 CET878750032192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:54.239450932 CET500328787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:54.239717007 CET500328787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:54.244543076 CET878750032192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:55.652548075 CET878750032192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:55.652616978 CET500328787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:55.652698040 CET500328787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:55.657648087 CET878750032192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:56.265762091 CET500338787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:56.270657063 CET878750033192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:56.270792007 CET500338787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:56.271114111 CET500338787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:56.275907040 CET878750033192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:57.690388918 CET878750033192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:57.690457106 CET500338787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:57.690568924 CET500338787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:57.695410013 CET878750033192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:58.362365961 CET500348787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:58.367367983 CET878750034192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:58.367711067 CET500348787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:58.367969990 CET500348787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:58.372718096 CET878750034192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:59.801244974 CET878750034192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:32:59.801378965 CET500348787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:59.801434994 CET500348787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:32:59.806207895 CET878750034192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:00.374922037 CET500358787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:00.379930973 CET878750035192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:00.381335020 CET500358787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:00.381644964 CET500358787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:00.386467934 CET878750035192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:01.800343037 CET878750035192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:01.800414085 CET500358787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:01.800477028 CET500358787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:01.805346966 CET878750035192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:02.365596056 CET500368787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:02.370513916 CET878750036192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:02.373325109 CET500368787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:02.373646975 CET500368787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:02.378511906 CET878750036192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:03.796593904 CET878750036192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:03.796777964 CET500368787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:03.800020933 CET500368787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:03.804826021 CET878750036192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:04.328357935 CET500378787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:04.333230972 CET878750037192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:04.333363056 CET500378787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:04.333651066 CET500378787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:04.338475943 CET878750037192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:05.748071909 CET878750037192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:05.748250961 CET500378787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:05.748297930 CET500378787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:05.753315926 CET878750037192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:06.266231060 CET500388787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:06.271497011 CET878750038192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:06.271627903 CET500388787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:06.271917105 CET500388787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:06.276721001 CET878750038192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:07.685133934 CET878750038192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:07.685379982 CET500388787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:07.685379982 CET500388787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:07.690196037 CET878750038192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:08.187834024 CET500408787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:08.192742109 CET878750040192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:08.192820072 CET500408787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:08.193270922 CET500408787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:08.198126078 CET878750040192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:09.614613056 CET878750040192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:09.614865065 CET500408787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:09.615050077 CET500408787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:09.619961023 CET878750040192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:10.094153881 CET500418787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:10.099116087 CET878750041192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:10.099212885 CET500418787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:10.099683046 CET500418787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:10.104531050 CET878750041192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:11.519067049 CET878750041192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:11.519285917 CET500418787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:11.519287109 CET500418787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:11.524204016 CET878750041192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:11.984460115 CET500428787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:11.989387035 CET878750042192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:11.993331909 CET500428787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:11.993616104 CET500428787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:11.998740911 CET878750042192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:13.403956890 CET878750042192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:13.409349918 CET500428787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:13.410326958 CET500428787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:13.415231943 CET878750042192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:13.860784054 CET500438787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:13.865845919 CET878750043192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:13.865926981 CET500438787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:13.871999025 CET500438787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:13.876869917 CET878750043192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:15.285173893 CET878750043192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:15.285269022 CET500438787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:15.285315990 CET500438787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:15.290113926 CET878750043192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:15.718502045 CET500448787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:15.723531961 CET878750044192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:15.723630905 CET500448787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:15.724025965 CET500448787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:15.728863955 CET878750044192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:17.140096903 CET878750044192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:17.140311003 CET500448787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:17.140311003 CET500448787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:17.145230055 CET878750044192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:17.563384056 CET500458787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:17.568701029 CET878750045192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:17.569370985 CET500458787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:17.569730997 CET500458787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:17.574543953 CET878750045192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:18.987097979 CET878750045192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:18.987361908 CET500458787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:18.987361908 CET500458787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:18.992166042 CET878750045192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:19.390465975 CET500468787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:19.395267010 CET878750046192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:19.397418022 CET500468787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:19.398997068 CET500468787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:19.403795004 CET878750046192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:20.814795971 CET878750046192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:20.814965963 CET500468787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:20.814965963 CET500468787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:20.820902109 CET878750046192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:21.202835083 CET500478787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:21.207791090 CET878750047192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:21.207906961 CET500478787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:21.208183050 CET500478787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:21.212951899 CET878750047192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:22.605595112 CET878750047192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:22.605674982 CET500478787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:22.605720997 CET500478787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:22.610498905 CET878750047192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:22.984112024 CET500488787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:22.989037991 CET878750048192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:22.989109993 CET500488787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:22.989490032 CET500488787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:22.994308949 CET878750048192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:24.386535883 CET878750048192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:24.386707067 CET500488787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:24.386892080 CET500488787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:24.391727924 CET878750048192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:24.749928951 CET500498787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:24.754687071 CET878750049192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:24.754820108 CET500498787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:24.755065918 CET500498787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:24.759840965 CET878750049192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:26.175685883 CET878750049192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:26.175802946 CET500498787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:26.175832987 CET500498787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:26.180591106 CET878750049192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:26.531306028 CET500508787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:26.536169052 CET878750050192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:26.536257982 CET500508787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:26.536725998 CET500508787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:26.541563988 CET878750050192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:27.952912092 CET878750050192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:27.953370094 CET500508787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:27.953370094 CET500508787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:27.958244085 CET878750050192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:28.306185961 CET500518787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:28.311048985 CET878750051192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:28.313369036 CET500518787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:28.354892015 CET500518787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:28.360400915 CET878750051192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:29.714524031 CET878750051192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:29.714582920 CET500518787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:29.714637995 CET500518787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:29.719408035 CET878750051192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:30.052346945 CET500528787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:30.057105064 CET878750052192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:30.057333946 CET500528787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:30.057631969 CET500528787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:30.062433958 CET878750052192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:31.466253996 CET878750052192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:31.466327906 CET500528787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:31.466401100 CET500528787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:31.471201897 CET878750052192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:31.796807051 CET500538787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:31.801853895 CET878750053192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:31.801970959 CET500538787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:31.802369118 CET500538787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:31.807218075 CET878750053192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:33.222367048 CET878750053192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:33.222491026 CET500538787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:33.222491980 CET500538787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:33.227505922 CET878750053192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:33.531002998 CET500548787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:33.535891056 CET878750054192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:33.535990000 CET500548787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:33.536256075 CET500548787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:33.541028023 CET878750054192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:34.973026991 CET878750054192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:34.973117113 CET500548787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:34.973117113 CET500548787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:34.977952957 CET878750054192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:35.281017065 CET500558787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:35.285868883 CET878750055192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:35.285952091 CET500558787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:35.286261082 CET500558787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:35.291040897 CET878750055192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:36.687562943 CET878750055192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:36.687665939 CET500558787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:36.687665939 CET500558787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:36.692569971 CET878750055192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:36.984298944 CET500568787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:36.989257097 CET878750056192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:36.989341974 CET500568787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:36.989772081 CET500568787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:36.994520903 CET878750056192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:38.407301903 CET878750056192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:38.409410954 CET500568787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:38.409411907 CET500568787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:38.414256096 CET878750056192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:38.687266111 CET500578787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:38.692198992 CET878750057192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:38.692389965 CET500578787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:38.692626953 CET500578787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:38.697411060 CET878750057192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:40.091844082 CET878750057192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:40.091990948 CET500578787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:40.091990948 CET500578787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:40.096872091 CET878750057192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:40.359400034 CET500588787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:40.364584923 CET878750058192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:40.365298986 CET500588787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:40.368531942 CET500588787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:40.373496056 CET878750058192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:41.787460089 CET878750058192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:41.787564039 CET500588787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:41.787620068 CET500588787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:41.792412043 CET878750058192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:42.046886921 CET500598787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:42.052285910 CET878750059192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:42.052381992 CET500598787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:42.052712917 CET500598787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:42.057827950 CET878750059192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:43.494180918 CET878750059192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:43.494271994 CET500598787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:43.494352102 CET500598787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:43.502814054 CET878750059192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:43.749790907 CET500608787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:43.755328894 CET878750060192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:43.755575895 CET500608787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:43.755942106 CET500608787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:43.760802984 CET878750060192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:45.171892881 CET878750060192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:45.173374891 CET500608787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:45.173374891 CET500608787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:45.178248882 CET878750060192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:45.421700954 CET500618787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:45.426578045 CET878750061192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:45.426915884 CET500618787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:45.427022934 CET500618787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:45.431811094 CET878750061192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:46.864533901 CET878750061192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:46.864598036 CET500618787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:46.864685059 CET500618787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:46.869420052 CET878750061192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:47.109097958 CET500628787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:47.114108086 CET878750062192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:47.114284039 CET500628787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:47.115353107 CET500628787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:47.120219946 CET878750062192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:48.516745090 CET878750062192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:48.516936064 CET500628787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:48.516936064 CET500628787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:48.521812916 CET878750062192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:48.749871016 CET500638787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:48.754826069 CET878750063192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:48.754957914 CET500638787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:48.755271912 CET500638787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:48.760088921 CET878750063192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:50.172189951 CET878750063192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:50.173392057 CET500638787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:50.173446894 CET500638787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:50.178297997 CET878750063192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:50.406111002 CET500648787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:50.410950899 CET878750064192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:50.411036015 CET500648787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:50.411498070 CET500648787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:50.416296959 CET878750064192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:51.849791050 CET878750064192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:51.849891901 CET500648787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:51.849960089 CET500648787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:51.854814053 CET878750064192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:52.063112974 CET500658787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:52.067950010 CET878750065192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:52.068044901 CET500658787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:52.068378925 CET500658787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:52.073213100 CET878750065192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:53.502100945 CET878750065192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:53.502305031 CET500658787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:53.502305031 CET500658787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:53.507303953 CET878750065192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:53.718451977 CET500668787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:53.723227978 CET878750066192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:53.723331928 CET500668787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:53.723629951 CET500668787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:53.728368998 CET878750066192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:55.141185999 CET878750066192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:55.141258955 CET500668787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:55.141321898 CET500668787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:55.146132946 CET878750066192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:55.343717098 CET500678787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:55.348773003 CET878750067192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:55.348893881 CET500678787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:55.349299908 CET500678787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:55.354129076 CET878750067192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:56.767946005 CET878750067192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:56.768167973 CET500678787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:56.768167973 CET500678787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:56.773016930 CET878750067192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:56.968574047 CET500688787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:56.973583937 CET878750068192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:56.973659039 CET500688787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:56.974020958 CET500688787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:56.978894949 CET878750068192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:58.467262030 CET878750068192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:58.467369080 CET500688787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:58.467432976 CET500688787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:58.472321987 CET878750068192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:58.655942917 CET500698787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:58.661040068 CET878750069192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:33:58.661211967 CET500698787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:58.661567926 CET500698787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:33:58.666397095 CET878750069192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:00.110271931 CET878750069192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:00.110358000 CET500698787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:00.110407114 CET500698787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:00.115196943 CET878750069192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:00.296685934 CET500708787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:00.301795006 CET878750070192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:00.301888943 CET500708787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:00.302159071 CET500708787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:00.306940079 CET878750070192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:01.721200943 CET878750070192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:01.721285105 CET500708787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:01.721834898 CET500708787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:01.727284908 CET878750070192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:01.906024933 CET500718787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:01.912600040 CET878750071192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:01.912683010 CET500718787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:01.913201094 CET500718787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:01.918942928 CET878750071192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:03.352025032 CET878750071192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:03.352152109 CET500718787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:03.352205038 CET500718787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:03.357070923 CET878750071192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:03.530936003 CET500728787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:03.535928965 CET878750072192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:03.536027908 CET500728787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:03.536303997 CET500728787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:03.541172028 CET878750072192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:04.934201956 CET878750072192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:04.934448004 CET500728787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:04.934448004 CET500728787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:04.939388037 CET878750072192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:05.109440088 CET500738787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:05.114438057 CET878750073192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:05.114531994 CET500738787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:05.114936113 CET500738787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:05.119731903 CET878750073192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:06.596299887 CET878750073192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:06.596498013 CET500738787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:06.596498966 CET500738787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:06.601341963 CET878750073192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:06.765516043 CET500748787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:06.771104097 CET878750074192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:06.771193027 CET500748787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:06.771533966 CET500748787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:06.776333094 CET878750074192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:08.172684908 CET878750074192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:08.172781944 CET500748787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:08.172838926 CET500748787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:08.180722952 CET878750074192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:08.327909946 CET500758787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:08.332921982 CET878750075192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:08.333165884 CET500758787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:08.333432913 CET500758787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:08.338186026 CET878750075192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:09.730695009 CET878750075192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:09.730776072 CET500758787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:09.730813980 CET500758787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:09.735634089 CET878750075192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:09.890572071 CET500768787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:09.895616055 CET878750076192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:09.895698071 CET500768787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:09.895987988 CET500768787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:09.900772095 CET878750076192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:11.295269966 CET878750076192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:11.295423985 CET500768787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:11.295634031 CET500768787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:11.300673008 CET878750076192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:11.437220097 CET500778787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:11.442370892 CET878750077192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:11.442487001 CET500778787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:11.442802906 CET500778787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:11.447648048 CET878750077192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:12.859873056 CET878750077192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:12.860080004 CET500778787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:12.860080004 CET500778787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:12.864994049 CET878750077192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:13.000004053 CET500788787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:13.005223036 CET878750078192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:13.005311012 CET500788787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:13.005660057 CET500788787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:13.010385990 CET878750078192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:14.443162918 CET878750078192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:14.443244934 CET500788787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:14.443300009 CET500788787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:14.448226929 CET878750078192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:14.578121901 CET500798787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:14.583060026 CET878750079192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:14.583188057 CET500798787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:14.583560944 CET500798787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:14.588480949 CET878750079192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:16.003546953 CET878750079192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:16.004484892 CET500798787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:16.004484892 CET500798787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:16.009329081 CET878750079192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:16.140599012 CET500808787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:16.145705938 CET878750080192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:16.149163961 CET500808787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:16.149163961 CET500808787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:16.154014111 CET878750080192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:17.584794044 CET878750080192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:17.585051060 CET500808787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:17.585051060 CET500808787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:17.589919090 CET878750080192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:17.718607903 CET500818787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:17.723575115 CET878750081192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:17.723701000 CET500818787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:17.724011898 CET500818787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:17.728827953 CET878750081192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:19.144784927 CET878750081192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:19.144876003 CET500818787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:19.144978046 CET500818787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:19.149808884 CET878750081192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:19.265460968 CET500828787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:19.270387888 CET878750082192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:19.270462036 CET500828787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:19.270782948 CET500828787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:19.275608063 CET878750082192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:20.688994884 CET878750082192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:20.689143896 CET500828787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:20.689143896 CET500828787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:20.694055080 CET878750082192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:20.812340975 CET500838787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:20.817327976 CET878750083192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:20.817456961 CET500838787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:20.817754984 CET500838787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:20.822670937 CET878750083192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:22.231439114 CET878750083192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:22.231821060 CET500838787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:22.231821060 CET500838787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:22.236717939 CET878750083192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:22.343683958 CET500848787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:22.348680019 CET878750084192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:22.348891020 CET500848787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:22.349289894 CET500848787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:22.354022980 CET878750084192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:23.768373966 CET878750084192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:23.768450975 CET500848787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:23.768488884 CET500848787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:23.773319006 CET878750084192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:23.892185926 CET500858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:23.897125006 CET878750085192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:23.897233009 CET500858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:23.902806044 CET500858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:23.907568932 CET878750085192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:25.326858997 CET878750085192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:25.326922894 CET500858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:25.327037096 CET500858787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:25.331907034 CET878750085192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:25.437220097 CET500868787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:25.442270994 CET878750086192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:25.442348957 CET500868787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:25.442610979 CET500868787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:25.447416067 CET878750086192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:26.864207029 CET878750086192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:26.869504929 CET500868787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:26.869504929 CET500868787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:26.876523018 CET878750086192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:26.984113932 CET500878787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:26.989268064 CET878750087192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:26.989373922 CET500878787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:26.989638090 CET500878787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:26.995417118 CET878750087192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:28.411403894 CET878750087192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:28.411504984 CET500878787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:28.411550999 CET500878787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:28.417113066 CET878750087192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:28.515496969 CET500888787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:28.520648956 CET878750088192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:28.520742893 CET500888787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:28.521063089 CET500888787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:28.525943041 CET878750088192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:29.936388016 CET878750088192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:29.936464071 CET500888787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:29.936510086 CET500888787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:29.941349030 CET878750088192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:30.035171032 CET500898787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:30.040365934 CET878750089192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:30.040467978 CET500898787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:30.040904045 CET500898787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:30.045768023 CET878750089192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:31.454396009 CET878750089192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:31.454478025 CET500898787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:31.454511881 CET500898787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:31.459479094 CET878750089192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:31.546626091 CET500908787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:31.551561117 CET878750090192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:31.553383112 CET500908787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:31.553670883 CET500908787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:31.558557987 CET878750090192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:32.968254089 CET878750090192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:32.968360901 CET500908787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:33.022346020 CET500908787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:33.027229071 CET878750090192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:33.225241899 CET500918787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:33.230211973 CET878750091192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:33.230298042 CET500918787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:33.230978966 CET500918787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:33.235745907 CET878750091192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:34.622385979 CET878750091192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:34.622524023 CET500918787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:34.622823954 CET500918787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:34.627604961 CET878750091192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:34.718462944 CET500928787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:34.723365068 CET878750092192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:34.723592997 CET500928787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:34.723920107 CET500928787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:34.728691101 CET878750092192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:36.123023033 CET878750092192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:36.123121977 CET500928787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:36.123121977 CET500928787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:36.127964020 CET878750092192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:36.218755007 CET500938787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:36.223722935 CET878750093192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:36.223795891 CET500938787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:36.224251032 CET500938787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:36.229105949 CET878750093192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:37.638150930 CET878750093192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:37.638262033 CET500938787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:37.638299942 CET500938787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:37.643101931 CET878750093192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:37.718488932 CET500968787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:37.723453999 CET878750096192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:37.723551035 CET500968787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:37.723860979 CET500968787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:37.728751898 CET878750096192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:39.126576900 CET878750096192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:39.126775980 CET500968787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:39.126775980 CET500968787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:39.131623030 CET878750096192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:39.219360113 CET500978787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:39.224276066 CET878750097192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:39.224853039 CET500978787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:39.225785971 CET500978787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:39.230638981 CET878750097192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:40.678740978 CET878750097192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:40.678836107 CET500978787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:40.678870916 CET500978787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:40.683717012 CET878750097192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:40.765435934 CET500988787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:40.770400047 CET878750098192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:40.770495892 CET500988787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:40.770812035 CET500988787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:40.775636911 CET878750098192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:42.235821962 CET878750098192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:42.235896111 CET500988787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:42.235999107 CET500988787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:42.240941048 CET878750098192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:42.312552929 CET500998787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:42.317557096 CET878750099192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:42.317635059 CET500998787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:42.318062067 CET500998787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:42.322891951 CET878750099192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:43.784099102 CET878750099192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:43.784210920 CET500998787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:43.784245014 CET500998787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:43.791419029 CET878750099192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:43.859364986 CET501008787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:43.864329100 CET878750100192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:43.864444017 CET501008787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:43.864778042 CET501008787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:43.869510889 CET878750100192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:45.263046980 CET878750100192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:45.265383005 CET501008787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:45.269619942 CET501008787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:45.277869940 CET878750100192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:45.343456030 CET501018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:45.351150036 CET878750101192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:45.351247072 CET501018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:45.351541996 CET501018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:45.358818054 CET878750101192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:46.766968012 CET878750101192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:46.767047882 CET501018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:46.767086983 CET501018787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:46.771927118 CET878750101192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:46.843604088 CET501028787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:46.848716021 CET878750102192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:46.848826885 CET501028787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:46.849128008 CET501028787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:46.853992939 CET878750102192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:48.252593040 CET878750102192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:48.252651930 CET501028787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:48.252717018 CET501028787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:48.257503033 CET878750102192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:48.328279972 CET501038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:48.333385944 CET878750103192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:48.333523989 CET501038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:48.334013939 CET501038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:48.338931084 CET878750103192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:49.731956959 CET878750103192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:49.732037067 CET501038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:49.732100010 CET501038787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:49.736998081 CET878750103192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:49.796756029 CET501048787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:49.801832914 CET878750104192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:49.805458069 CET501048787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:49.805917978 CET501048787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:49.810719967 CET878750104192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:51.221930027 CET878750104192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:51.223478079 CET501048787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:51.227364063 CET501048787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:51.232302904 CET878750104192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:51.296674967 CET501058787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:51.301637888 CET878750105192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:51.305428982 CET501058787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:51.305687904 CET501058787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:51.310493946 CET878750105192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:52.743736982 CET878750105192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:52.743872881 CET501058787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:52.743922949 CET501058787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:52.748704910 CET878750105192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:52.812294960 CET501068787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:52.817228079 CET878750106192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:52.817339897 CET501068787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:52.817715883 CET501068787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:52.822474957 CET878750106192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:54.237987995 CET878750106192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:54.238064051 CET501068787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:54.238111019 CET501068787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:54.242969990 CET878750106192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:54.298785925 CET501078787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:54.303832054 CET878750107192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:54.303911924 CET501078787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:54.304502964 CET501078787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:54.309269905 CET878750107192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:55.718010902 CET878750107192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:55.718091965 CET501078787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:55.718280077 CET501078787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:55.723056078 CET878750107192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:55.781148911 CET501088787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:55.786130905 CET878750108192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:55.786218882 CET501088787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:55.786571026 CET501088787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:55.791423082 CET878750108192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:57.204704046 CET878750108192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:57.204857111 CET501088787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:57.204857111 CET501088787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:57.209791899 CET878750108192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:57.265568972 CET501098787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:57.270472050 CET878750109192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:57.270657063 CET501098787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:57.270927906 CET501098787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:57.276690960 CET878750109192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:58.708709955 CET878750109192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:58.708830118 CET501098787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:58.708831072 CET501098787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:58.713726044 CET878750109192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:58.765423059 CET501108787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:58.770363092 CET878750110192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:34:58.770437002 CET501108787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:58.770741940 CET501108787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:34:58.775577068 CET878750110192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:35:00.185872078 CET878750110192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:35:00.187879086 CET501108787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:35:00.187879086 CET501108787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:35:00.192823887 CET878750110192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:35:00.249870062 CET501118787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:35:00.254981995 CET878750111192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:35:00.257477045 CET501118787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:35:00.257817984 CET501118787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:35:00.262620926 CET878750111192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:35:01.673810005 CET878750111192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:35:01.673901081 CET501118787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:35:01.724816084 CET501118787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:35:01.729806900 CET878750111192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:35:02.734353065 CET501128787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:35:02.739274979 CET878750112192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:35:02.739372969 CET501128787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:35:02.739654064 CET501128787192.168.2.6192.210.150.26
                                            Jan 11, 2025 02:35:02.744415045 CET878750112192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:35:04.163652897 CET878750112192.210.150.26192.168.2.6
                                            Jan 11, 2025 02:35:04.163724899 CET501128787192.168.2.6192.210.150.26

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:20:30:54
                                            Start date:10/01/2025
                                            Path:C:\Users\user\Desktop\8kjlHXmbAY.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\8kjlHXmbAY.exe"
                                            Imagebase:0x2d0000
                                            File size:883'712 bytes
                                            MD5 hash:57F7D9095490A4AADDA9E261FEC73A68
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:20:30:57
                                            Start date:10/01/2025
                                            Path:C:\Users\user\AppData\Local\ectosphere\bankrupture.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\8kjlHXmbAY.exe"
                                            Imagebase:0x7d0000
                                            File size:883'712 bytes
                                            MD5 hash:57F7D9095490A4AADDA9E261FEC73A68
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.2279878788.00000000033F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            Antivirus matches:
                                            • Detection: 100%, Joe Sandbox ML
                                            • Detection: 71%, ReversingLabs
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:20:31:01
                                            Start date:10/01/2025
                                            Path:C:\Users\user\AppData\Local\ectosphere\bankrupture.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\ectosphere\bankrupture.exe"
                                            Imagebase:0x7d0000
                                            File size:883'712 bytes
                                            MD5 hash:57F7D9095490A4AADDA9E261FEC73A68
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4673994833.000000000125C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4674197020.00000000012EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.4673225476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4674782285.0000000003FEF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.4674734687.0000000003B70000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4674388122.000000000145C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.4674277679.000000000136C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:7
                                            Start time:20:31:10
                                            Start date:10/01/2025
                                            Path:C:\Windows\System32\wscript.exe
                                            Wow64 process (32bit):false
                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bankrupture.vbs"
                                            Imagebase:0x7ff6a99e0000
                                            File size:170'496 bytes
                                            MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:20:31:11
                                            Start date:10/01/2025
                                            Path:C:\Users\user\AppData\Local\ectosphere\bankrupture.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\AppData\Local\ectosphere\bankrupture.exe"
                                            Imagebase:0x7d0000
                                            File size:883'712 bytes
                                            MD5 hash:57F7D9095490A4AADDA9E261FEC73A68
                                            Has elevated privileges:false
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2406102574.000000000145C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.2406547212.0000000002020000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000008.00000002.2404726914.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:low
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:3.7%
                                              Dynamic/Decrypted Code Coverage:0.4%
                                              Signature Coverage:10.7%
                                              Total number of Nodes:2000
                                              Total number of Limit Nodes:54
                                              execution_graph 100846 429a50 100847 429a60 100846->100847 100848 429b7a LoadLibraryA 100847->100848 100851 429bbf VirtualProtect VirtualProtect 100847->100851 100849 429b91 100848->100849 100849->100847 100853 429ba3 GetProcAddress 100849->100853 100852 429c24 100851->100852 100852->100852 100853->100849 100854 429bb9 ExitProcess 100853->100854 100855 2dbe19 100856 2dc36a 100855->100856 100857 2dbe22 100855->100857 100866 2dba8b Mailbox 100856->100866 100894 327bdb 59 API calls _memmove 100856->100894 100857->100856 100870 2d9837 100857->100870 100860 2dbe5d 100888 2d7a51 100860->100888 100863 311085 100895 2d8047 100863->100895 100864 2dbaab 100866->100864 100868 311361 100866->100868 100900 2d8cd4 59 API calls Mailbox 100866->100900 100868->100864 100899 2f3d46 59 API calls __wtof_l 100868->100899 100871 2d9851 100870->100871 100879 2d984b 100870->100879 100872 30f5d3 __i64tow 100871->100872 100873 2d9899 100871->100873 100874 30f4da 100871->100874 100876 2d9857 __itow 100871->100876 100915 2f3698 83 API calls 3 library calls 100873->100915 100881 2f0db6 Mailbox 59 API calls 100874->100881 100886 30f552 Mailbox _wcscpy 100874->100886 100901 2f0db6 100876->100901 100879->100856 100879->100860 100880 2d9871 100880->100879 100911 2d7de1 100880->100911 100883 30f51f 100881->100883 100884 2f0db6 Mailbox 59 API calls 100883->100884 100885 30f545 100884->100885 100885->100886 100887 2d7de1 59 API calls 100885->100887 100916 2f3698 83 API calls 3 library calls 100886->100916 100887->100886 100889 2d7a5f 100888->100889 100893 2d7a85 _memmove 100888->100893 100890 2f0db6 Mailbox 59 API calls 100889->100890 100889->100893 100891 2d7ad4 100890->100891 100892 2f0db6 Mailbox 59 API calls 100891->100892 100892->100893 100893->100866 100894->100863 100896 2d805a 100895->100896 100897 2d8052 100895->100897 100896->100866 100945 2d7f77 59 API calls 2 library calls 100897->100945 100899->100864 100900->100866 100903 2f0dbe 100901->100903 100904 2f0dd8 100903->100904 100906 2f0ddc std::exception::exception 100903->100906 100917 2f571c 100903->100917 100934 2f33a1 RtlDecodePointer 100903->100934 100904->100880 100935 2f859b RaiseException 100906->100935 100908 2f0e06 100936 2f84d1 58 API calls _free 100908->100936 100910 2f0e18 100910->100880 100912 2d7df0 __NMSG_WRITE _memmove 100911->100912 100913 2f0db6 Mailbox 59 API calls 100912->100913 100914 2d7e2e 100913->100914 100914->100879 100915->100876 100916->100872 100918 2f5797 100917->100918 100924 2f5728 100917->100924 100943 2f33a1 RtlDecodePointer 100918->100943 100920 2f579d 100944 2f8b28 58 API calls __getptd_noexit 100920->100944 100923 2f575b RtlAllocateHeap 100923->100924 100933 2f578f 100923->100933 100924->100923 100926 2f5783 100924->100926 100927 2f5733 100924->100927 100931 2f5781 100924->100931 100940 2f33a1 RtlDecodePointer 100924->100940 100941 2f8b28 58 API calls __getptd_noexit 100926->100941 100927->100924 100937 2fa16b 58 API calls 2 library calls 100927->100937 100938 2fa1c8 58 API calls 7 library calls 100927->100938 100939 2f309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100927->100939 100942 2f8b28 58 API calls __getptd_noexit 100931->100942 100933->100903 100934->100903 100935->100908 100936->100910 100937->100927 100938->100927 100940->100924 100941->100931 100942->100933 100943->100920 100944->100933 100945->100896 100946 2d1078 100951 2d708b 100946->100951 100948 2d108c 100982 2f2d40 100948->100982 100952 2d709b __ftell_nolock 100951->100952 100985 2d7667 100952->100985 100956 2d715a 100997 2f050b 100956->100997 100963 2d7667 59 API calls 100964 2d718b 100963->100964 101016 2d7d8c 100964->101016 100966 2d7194 RegOpenKeyExW 100967 30e8b1 RegQueryValueExW 100966->100967 100972 2d71b6 Mailbox 100966->100972 100968 30e943 RegCloseKey 100967->100968 100969 30e8ce 100967->100969 100968->100972 100978 30e955 _wcscat Mailbox __NMSG_WRITE 100968->100978 100970 2f0db6 Mailbox 59 API calls 100969->100970 100971 30e8e7 100970->100971 101020 2d522e 100971->101020 100972->100948 100975 30e90f 101023 2d7bcc 100975->101023 100977 30e929 100977->100968 100978->100972 100979 2d7de1 59 API calls 100978->100979 100980 2d3f74 59 API calls 100978->100980 100981 2d79f2 59 API calls 100978->100981 100979->100978 100980->100978 100981->100978 101065 2f2c44 100982->101065 100984 2d1096 100986 2f0db6 Mailbox 59 API calls 100985->100986 100987 2d7688 100986->100987 100988 2f0db6 Mailbox 59 API calls 100987->100988 100989 2d7151 100988->100989 100990 2d4706 100989->100990 101032 301940 100990->101032 100993 2d7de1 59 API calls 100994 2d4739 100993->100994 101034 2d4750 100994->101034 100996 2d4743 Mailbox 100996->100956 100998 301940 __ftell_nolock 100997->100998 100999 2f0518 GetFullPathNameW 100998->100999 101000 2f053a 100999->101000 101001 2d7bcc 59 API calls 101000->101001 101002 2d7165 101001->101002 101003 2d7cab 101002->101003 101004 2d7cbf 101003->101004 101005 30ed4a 101003->101005 101056 2d7c50 101004->101056 101061 2d8029 101005->101061 101008 2d7173 101010 2d3f74 101008->101010 101009 30ed55 __NMSG_WRITE _memmove 101011 2d3f82 101010->101011 101015 2d3fa4 _memmove 101010->101015 101013 2f0db6 Mailbox 59 API calls 101011->101013 101012 2f0db6 Mailbox 59 API calls 101014 2d3fb8 101012->101014 101013->101015 101014->100963 101015->101012 101017 2d7da6 101016->101017 101019 2d7d99 101016->101019 101018 2f0db6 Mailbox 59 API calls 101017->101018 101018->101019 101019->100966 101021 2f0db6 Mailbox 59 API calls 101020->101021 101022 2d5240 RegQueryValueExW 101021->101022 101022->100975 101022->100977 101024 2d7bd8 __NMSG_WRITE 101023->101024 101025 2d7c45 101023->101025 101027 2d7bee 101024->101027 101028 2d7c13 101024->101028 101026 2d7d2c 59 API calls 101025->101026 101031 2d7bf6 _memmove 101026->101031 101064 2d7f27 59 API calls Mailbox 101027->101064 101030 2d8029 59 API calls 101028->101030 101030->101031 101031->100977 101033 2d4713 GetModuleFileNameW 101032->101033 101033->100993 101035 301940 __ftell_nolock 101034->101035 101036 2d475d GetFullPathNameW 101035->101036 101037 2d477c 101036->101037 101038 2d4799 101036->101038 101039 2d7bcc 59 API calls 101037->101039 101040 2d7d8c 59 API calls 101038->101040 101041 2d4788 101039->101041 101040->101041 101044 2d7726 101041->101044 101045 2d7734 101044->101045 101048 2d7d2c 101045->101048 101047 2d4794 101047->100996 101049 2d7d3a 101048->101049 101051 2d7d43 _memmove 101048->101051 101049->101051 101052 2d7e4f 101049->101052 101051->101047 101053 2d7e62 101052->101053 101055 2d7e5f _memmove 101052->101055 101054 2f0db6 Mailbox 59 API calls 101053->101054 101054->101055 101055->101051 101057 2d7c5f __NMSG_WRITE 101056->101057 101058 2d8029 59 API calls 101057->101058 101059 2d7c70 _memmove 101057->101059 101060 30ed07 _memmove 101058->101060 101059->101008 101062 2f0db6 Mailbox 59 API calls 101061->101062 101063 2d8033 101062->101063 101063->101009 101064->101031 101066 2f2c50 __write 101065->101066 101073 2f3217 101066->101073 101072 2f2c77 __write 101072->100984 101090 2f9c0b 101073->101090 101075 2f2c59 101076 2f2c88 RtlDecodePointer RtlDecodePointer 101075->101076 101077 2f2c65 101076->101077 101078 2f2cb5 101076->101078 101087 2f2c82 101077->101087 101078->101077 101136 2f87a4 59 API calls _memcpy_s 101078->101136 101080 2f2d18 RtlEncodePointer RtlEncodePointer 101080->101077 101081 2f2cc7 101081->101080 101082 2f2cec 101081->101082 101137 2f8864 61 API calls 2 library calls 101081->101137 101082->101077 101085 2f2d06 RtlEncodePointer 101082->101085 101138 2f8864 61 API calls 2 library calls 101082->101138 101085->101080 101086 2f2d00 101086->101077 101086->101085 101139 2f3220 101087->101139 101091 2f9c2f RtlEnterCriticalSection 101090->101091 101092 2f9c1c 101090->101092 101091->101075 101097 2f9c93 101092->101097 101094 2f9c22 101094->101091 101121 2f30b5 58 API calls 3 library calls 101094->101121 101098 2f9c9f __write 101097->101098 101099 2f9ca8 101098->101099 101100 2f9cc0 101098->101100 101122 2fa16b 58 API calls 2 library calls 101099->101122 101106 2f9ce1 __write 101100->101106 101125 2f881d 58 API calls 2 library calls 101100->101125 101103 2f9cad 101123 2fa1c8 58 API calls 7 library calls 101103->101123 101105 2f9cd5 101108 2f9cdc 101105->101108 101109 2f9ceb 101105->101109 101106->101094 101107 2f9cb4 101124 2f309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101107->101124 101126 2f8b28 58 API calls __getptd_noexit 101108->101126 101112 2f9c0b __lock 58 API calls 101109->101112 101114 2f9cf2 101112->101114 101115 2f9cff 101114->101115 101116 2f9d17 101114->101116 101127 2f9e2b InitializeCriticalSectionAndSpinCount 101115->101127 101128 2f2d55 101116->101128 101119 2f9d0b 101134 2f9d33 RtlLeaveCriticalSection _doexit 101119->101134 101122->101103 101123->101107 101125->101105 101126->101106 101127->101119 101129 2f2d5e RtlFreeHeap 101128->101129 101130 2f2d87 __dosmaperr 101128->101130 101129->101130 101131 2f2d73 101129->101131 101130->101119 101135 2f8b28 58 API calls __getptd_noexit 101131->101135 101133 2f2d79 GetLastError 101133->101130 101134->101106 101135->101133 101136->101081 101137->101082 101138->101086 101142 2f9d75 RtlLeaveCriticalSection 101139->101142 101141 2f2c87 101141->101072 101142->101141 101143 30fe27 101156 2ef944 101143->101156 101145 30fe3d 101146 30fe53 101145->101146 101148 30febe 101145->101148 101245 2d9e5d 60 API calls 101146->101245 101165 2dfce0 101148->101165 101149 30fe92 101151 30fe9a 101149->101151 101152 31089c 101149->101152 101246 33834f 59 API calls Mailbox 101151->101246 101247 339e4a 89 API calls 4 library calls 101152->101247 101155 30feb2 Mailbox 101157 2ef962 101156->101157 101158 2ef950 101156->101158 101160 2ef968 101157->101160 101161 2ef991 101157->101161 101248 2d9d3c 60 API calls Mailbox 101158->101248 101163 2f0db6 Mailbox 59 API calls 101160->101163 101249 2d9d3c 60 API calls Mailbox 101161->101249 101164 2ef95a 101163->101164 101164->101145 101250 2d8180 101165->101250 101167 2dfd3d 101169 31472d 101167->101169 101230 2e06f6 101167->101230 101255 2df234 101167->101255 101373 339e4a 89 API calls 4 library calls 101169->101373 101172 31488d 101179 2dfe4c 101172->101179 101229 314742 101172->101229 101379 34a2d9 85 API calls Mailbox 101172->101379 101173 2dfe3e 101173->101172 101173->101179 101377 3266ec 59 API calls 2 library calls 101173->101377 101174 2e0517 101184 2f0db6 Mailbox 59 API calls 101174->101184 101175 314b53 101175->101229 101394 339e4a 89 API calls 4 library calls 101175->101394 101177 2f0db6 59 API calls Mailbox 101206 2dfdd3 101177->101206 101179->101175 101185 3148f9 101179->101185 101259 2d837c 101179->101259 101180 3147d7 101180->101229 101375 339e4a 89 API calls 4 library calls 101180->101375 101181 314848 101378 3260ef 59 API calls 2 library calls 101181->101378 101192 2e0545 _memmove 101184->101192 101193 314917 101185->101193 101381 2d85c0 59 API calls Mailbox 101185->101381 101188 314755 101188->101180 101374 2df6a3 331 API calls 101188->101374 101190 3148b2 Mailbox 101190->101179 101380 3266ec 59 API calls 2 library calls 101190->101380 101199 2f0db6 Mailbox 59 API calls 101192->101199 101198 314928 101193->101198 101382 2d85c0 59 API calls Mailbox 101193->101382 101194 2dfea4 101202 314ad6 101194->101202 101203 2dff32 101194->101203 101222 2e0179 Mailbox _memmove 101194->101222 101195 31486b 101196 2d9ea0 331 API calls 101195->101196 101196->101172 101198->101222 101383 3260ab 59 API calls Mailbox 101198->101383 101210 2e0106 _memmove 101199->101210 101392 339ae7 60 API calls 101202->101392 101204 2f0db6 Mailbox 59 API calls 101203->101204 101208 2dff39 101204->101208 101206->101173 101206->101174 101206->101177 101206->101188 101206->101192 101220 31480c 101206->101220 101206->101229 101347 2d9ea0 101206->101347 101208->101230 101266 2e09d0 101208->101266 101210->101222 101244 2e0162 101210->101244 101371 2d9c90 59 API calls Mailbox 101210->101371 101211 2d9ea0 331 API calls 101213 314a87 101211->101213 101212 2dffe6 101224 2e0007 101212->101224 101228 2d8047 59 API calls 101212->101228 101213->101229 101387 2d84c0 101213->101387 101216 2dffb2 101216->101192 101216->101212 101216->101230 101376 339e4a 89 API calls 4 library calls 101220->101376 101221 314ab2 101391 339e4a 89 API calls 4 library calls 101221->101391 101222->101221 101222->101230 101231 2e0398 101222->101231 101233 2f0db6 59 API calls Mailbox 101222->101233 101238 314a1c 101222->101238 101243 314a4d 101222->101243 101345 2d8740 68 API calls __cinit 101222->101345 101346 2d8660 68 API calls 101222->101346 101384 335937 68 API calls 101222->101384 101385 2d89b3 69 API calls Mailbox 101222->101385 101386 2d9d3c 60 API calls Mailbox 101222->101386 101224->101230 101232 314b24 101224->101232 101235 2e004c 101224->101235 101228->101224 101372 339e4a 89 API calls 4 library calls 101230->101372 101231->101155 101393 2d9d3c 60 API calls Mailbox 101232->101393 101233->101222 101235->101175 101235->101230 101236 2e00d8 101235->101236 101343 2d9d3c 60 API calls Mailbox 101236->101343 101241 2f0db6 Mailbox 59 API calls 101238->101241 101239 2e00eb 101239->101230 101344 2d82df 59 API calls Mailbox 101239->101344 101241->101243 101243->101211 101244->101155 101245->101149 101246->101155 101247->101155 101248->101164 101249->101164 101251 2d818f 101250->101251 101254 2d81aa 101250->101254 101252 2d7e4f 59 API calls 101251->101252 101253 2d8197 CharUpperBuffW 101252->101253 101253->101254 101254->101167 101256 2df251 101255->101256 101257 2df272 101256->101257 101395 339e4a 89 API calls 4 library calls 101256->101395 101257->101206 101260 2d838d 101259->101260 101261 30edbd 101259->101261 101262 2f0db6 Mailbox 59 API calls 101260->101262 101263 2d8394 101262->101263 101264 2d83b5 101263->101264 101396 2d8634 59 API calls Mailbox 101263->101396 101264->101185 101264->101194 101267 314cc3 101266->101267 101281 2e09f5 101266->101281 101456 339e4a 89 API calls 4 library calls 101267->101456 101269 2e0ce4 101270 2e0cfa 101269->101270 101453 2e1070 10 API calls Mailbox 101269->101453 101270->101216 101273 2e0ee4 101273->101270 101275 2e0ef1 101273->101275 101274 2e0a4b PeekMessageW 101293 2e0a05 Mailbox 101274->101293 101454 2e1093 331 API calls Mailbox 101275->101454 101277 2e0ef8 LockWindowUpdate DestroyWindow GetMessageW 101277->101270 101280 2e0f2a 101277->101280 101279 314e81 Sleep 101279->101293 101282 315c58 TranslateMessage DispatchMessageW GetMessageW 101280->101282 101281->101293 101457 2d9e5d 60 API calls 101281->101457 101458 326349 331 API calls 101281->101458 101282->101282 101284 315c88 101282->101284 101284->101270 101285 314d50 TranslateAcceleratorW 101287 2e0e43 PeekMessageW 101285->101287 101285->101293 101286 2e0ea5 TranslateMessage DispatchMessageW 101286->101287 101287->101293 101288 2f0db6 59 API calls Mailbox 101288->101293 101289 2e0d13 timeGetTime 101289->101293 101290 31581f WaitForSingleObject 101292 31583c GetExitCodeProcess CloseHandle 101290->101292 101290->101293 101302 2e0f95 101292->101302 101293->101269 101293->101274 101293->101279 101293->101285 101293->101286 101293->101287 101293->101288 101293->101289 101293->101290 101294 2e0e5f Sleep 101293->101294 101295 2d8047 59 API calls 101293->101295 101297 315af8 Sleep 101293->101297 101299 2e0e70 Mailbox 101293->101299 101300 2db73c 304 API calls 101293->101300 101293->101302 101304 2e0f4e timeGetTime 101293->101304 101307 2d9837 84 API calls 101293->101307 101315 2d9e5d 60 API calls 101293->101315 101325 2d9ea0 304 API calls 101293->101325 101326 2dfce0 304 API calls 101293->101326 101331 339e4a 89 API calls 101293->101331 101332 2d9c90 59 API calls Mailbox 101293->101332 101333 2d84c0 69 API calls 101293->101333 101335 32617e 59 API calls Mailbox 101293->101335 101336 2d7de1 59 API calls 101293->101336 101337 2d89b3 69 API calls 101293->101337 101338 3155d5 VariantClear 101293->101338 101339 31566b VariantClear 101293->101339 101340 315419 VariantClear 101293->101340 101341 326e8f 59 API calls 101293->101341 101342 2d8cd4 59 API calls Mailbox 101293->101342 101397 2de6a0 101293->101397 101428 2df460 101293->101428 101447 2d31ce 101293->101447 101452 2de420 331 API calls 101293->101452 101459 356018 59 API calls 101293->101459 101460 339a15 59 API calls Mailbox 101293->101460 101461 32d4f2 59 API calls 101293->101461 101462 3260ef 59 API calls 2 library calls 101293->101462 101463 2d8401 59 API calls 101293->101463 101464 2d82df 59 API calls Mailbox 101293->101464 101294->101299 101295->101293 101296 2d7667 59 API calls 101296->101299 101297->101299 101299->101293 101299->101296 101299->101302 101303 2f049f timeGetTime 101299->101303 101308 315b8f GetExitCodeProcess 101299->101308 101311 355f25 110 API calls 101299->101311 101312 2db7dd 109 API calls 101299->101312 101316 315874 101299->101316 101317 315c17 Sleep 101299->101317 101318 315078 Sleep 101299->101318 101320 2d7de1 59 API calls 101299->101320 101465 332408 60 API calls 101299->101465 101466 2d9e5d 60 API calls 101299->101466 101467 2d89b3 69 API calls Mailbox 101299->101467 101468 2db73c 331 API calls 101299->101468 101469 3264da 60 API calls 101299->101469 101470 335244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101299->101470 101471 333c55 66 API calls Mailbox 101299->101471 101300->101293 101302->101216 101303->101299 101455 2d9e5d 60 API calls 101304->101455 101307->101293 101313 315ba5 WaitForSingleObject 101308->101313 101314 315bbb CloseHandle 101308->101314 101311->101299 101312->101299 101313->101293 101313->101314 101314->101299 101315->101293 101316->101302 101317->101293 101318->101293 101320->101299 101325->101293 101326->101293 101331->101293 101332->101293 101333->101293 101335->101293 101336->101293 101337->101293 101338->101293 101339->101293 101340->101293 101341->101293 101342->101293 101343->101239 101344->101210 101345->101222 101346->101222 101348 2d9ebf 101347->101348 101363 2d9eed Mailbox 101347->101363 101349 2f0db6 Mailbox 59 API calls 101348->101349 101349->101363 101350 2db475 101351 2d8047 59 API calls 101350->101351 101366 2da057 101351->101366 101352 2db47a 101353 310055 101352->101353 101370 3109e5 101352->101370 102628 339e4a 89 API calls 4 library calls 101353->102628 101355 2f0db6 59 API calls Mailbox 101355->101363 101358 310064 101358->101206 101359 2d8047 59 API calls 101359->101363 101361 2d7667 59 API calls 101361->101363 101363->101350 101363->101352 101363->101353 101363->101355 101363->101359 101363->101361 101364 2f2d40 67 API calls __cinit 101363->101364 101365 326e8f 59 API calls 101363->101365 101363->101366 101367 3109d6 101363->101367 101369 2da55a 101363->101369 102611 2db900 101363->102611 102627 2dc8c0 331 API calls 2 library calls 101363->102627 101364->101363 101365->101363 101366->101206 102630 339e4a 89 API calls 4 library calls 101367->102630 102629 339e4a 89 API calls 4 library calls 101369->102629 102631 339e4a 89 API calls 4 library calls 101370->102631 101371->101210 101372->101169 101373->101229 101374->101180 101375->101229 101376->101229 101377->101181 101378->101195 101379->101190 101380->101190 101381->101193 101382->101198 101383->101222 101384->101222 101385->101222 101386->101222 101388 2d84cb 101387->101388 101390 2d84f2 101388->101390 102637 2d89b3 69 API calls Mailbox 101388->102637 101390->101221 101391->101229 101392->101212 101393->101175 101394->101229 101395->101257 101396->101264 101398 2de6d5 101397->101398 101399 313aa9 101398->101399 101402 2de73f 101398->101402 101411 2de799 101398->101411 101400 2d9ea0 331 API calls 101399->101400 101401 313abe 101400->101401 101427 2de970 Mailbox 101401->101427 101473 339e4a 89 API calls 4 library calls 101401->101473 101405 2d7667 59 API calls 101402->101405 101402->101411 101403 2d7667 59 API calls 101403->101411 101407 313b04 101405->101407 101406 2f2d40 __cinit 67 API calls 101406->101411 101408 2f2d40 __cinit 67 API calls 101407->101408 101408->101411 101409 313b26 101409->101293 101410 2d84c0 69 API calls 101410->101427 101411->101403 101411->101406 101411->101409 101412 2de95a 101411->101412 101411->101427 101412->101427 101474 339e4a 89 API calls 4 library calls 101412->101474 101414 2d9ea0 331 API calls 101414->101427 101415 2d8d40 59 API calls 101415->101427 101422 339e4a 89 API calls 101422->101427 101424 313e25 101424->101293 101425 2df195 101478 339e4a 89 API calls 4 library calls 101425->101478 101426 2dea78 101426->101293 101427->101410 101427->101414 101427->101415 101427->101422 101427->101425 101427->101426 101472 2d7f77 59 API calls 2 library calls 101427->101472 101475 326e8f 59 API calls 101427->101475 101476 34c5c3 331 API calls 101427->101476 101477 34b53c 331 API calls Mailbox 101427->101477 101479 2d9c90 59 API calls Mailbox 101427->101479 101480 3493c6 331 API calls Mailbox 101427->101480 101429 2df4ba 101428->101429 101430 2df650 101428->101430 101431 2df4c6 101429->101431 101432 31441e 101429->101432 101433 2d7de1 59 API calls 101430->101433 101579 2df290 331 API calls 2 library calls 101431->101579 101581 34bc6b 101432->101581 101439 2df58c Mailbox 101433->101439 101436 31442c 101440 2df630 101436->101440 101621 339e4a 89 API calls 4 library calls 101436->101621 101438 2df4fd 101438->101436 101438->101439 101438->101440 101481 333c37 101439->101481 101484 2d4e4a 101439->101484 101490 34445a 101439->101490 101499 33cb7a 101439->101499 101440->101293 101442 2df5e3 101442->101440 101580 2d9c90 59 API calls Mailbox 101442->101580 101448 2d3212 101447->101448 101449 2d31e0 101447->101449 101448->101293 101449->101448 101450 2d3205 IsDialogMessageW 101449->101450 101451 30cf32 GetClassLongW 101449->101451 101450->101448 101450->101449 101451->101449 101451->101450 101452->101293 101453->101273 101454->101277 101455->101293 101456->101281 101457->101281 101458->101281 101459->101293 101460->101293 101461->101293 101462->101293 101463->101293 101464->101293 101465->101299 101466->101299 101467->101299 101468->101299 101469->101299 101470->101299 101471->101299 101472->101427 101473->101427 101474->101427 101475->101427 101476->101427 101477->101427 101478->101424 101479->101427 101480->101427 101622 33445a GetFileAttributesW 101481->101622 101485 2d4e5b 101484->101485 101486 2d4e54 101484->101486 101488 2d4e7b FreeLibrary 101485->101488 101489 2d4e6a 101485->101489 101626 2f53a6 101486->101626 101488->101489 101489->101442 101491 2d9837 84 API calls 101490->101491 101492 344494 101491->101492 101896 2d6240 101492->101896 101494 3444a4 101495 2d9ea0 331 API calls 101494->101495 101496 3444c9 101494->101496 101495->101496 101498 3444cd 101496->101498 101921 2d9a98 59 API calls Mailbox 101496->101921 101498->101442 101500 2d7667 59 API calls 101499->101500 101501 33cbaf 101500->101501 101502 2d7667 59 API calls 101501->101502 101503 33cbb8 101502->101503 101504 33cbcc 101503->101504 102137 2d9b3c 59 API calls 101503->102137 101506 2d9837 84 API calls 101504->101506 101507 33cbe9 101506->101507 101508 33cc0b 101507->101508 101509 33ccea 101507->101509 101514 33cd1a Mailbox 101507->101514 101510 2d9837 84 API calls 101508->101510 101941 2d4ddd 101509->101941 101512 33cc17 101510->101512 101515 2d8047 59 API calls 101512->101515 101514->101442 101521 33cc23 101515->101521 101516 33cd16 101516->101514 101517 2d7667 59 API calls 101516->101517 101519 33cd4b 101517->101519 101518 2d4ddd 136 API calls 101518->101516 101520 2d7667 59 API calls 101519->101520 101522 33cd54 101520->101522 101523 33cc37 101521->101523 101524 33cc69 101521->101524 101526 2d7667 59 API calls 101522->101526 101527 2d8047 59 API calls 101523->101527 101525 2d9837 84 API calls 101524->101525 101528 33cc76 101525->101528 101529 33cd5d 101526->101529 101530 33cc47 101527->101530 101531 2d8047 59 API calls 101528->101531 101532 2d7667 59 API calls 101529->101532 101533 2d7cab 59 API calls 101530->101533 101534 33cc82 101531->101534 101535 33cd66 101532->101535 101536 33cc51 101533->101536 102138 334a31 GetFileAttributesW 101534->102138 101539 2d9837 84 API calls 101535->101539 101537 2d9837 84 API calls 101536->101537 101540 33cc5d 101537->101540 101542 33cd73 101539->101542 101543 2d7b2e 59 API calls 101540->101543 101541 33cc8b 101544 33cc9e 101541->101544 101547 2d79f2 59 API calls 101541->101547 101965 2d459b 101542->101965 101543->101524 101546 2d9837 84 API calls 101544->101546 101554 33cca4 101544->101554 101549 33cccb 101546->101549 101547->101544 101548 33cd8e 102016 2d79f2 101548->102016 102139 3337ef 75 API calls Mailbox 101549->102139 101553 33cdd1 101556 2d8047 59 API calls 101553->101556 101554->101514 101555 2d79f2 59 API calls 101557 33cdae 101555->101557 101558 33cddf 101556->101558 101557->101553 101560 2d7bcc 59 API calls 101557->101560 102019 2d7b2e 101558->102019 101562 33cdc3 101560->101562 101564 2d7bcc 59 API calls 101562->101564 101563 2d7b2e 59 API calls 101565 33cdfb 101563->101565 101564->101553 101566 2d7b2e 59 API calls 101565->101566 101567 33ce09 101566->101567 101568 2d9837 84 API calls 101567->101568 101569 33ce15 101568->101569 102028 334071 101569->102028 101571 33ce26 101572 333c37 3 API calls 101571->101572 101573 33ce30 101572->101573 101574 2d9837 84 API calls 101573->101574 101578 33ce61 101573->101578 101575 33ce4e 101574->101575 102082 339155 101575->102082 101577 2d4e4a 84 API calls 101577->101514 101578->101577 101579->101438 101580->101442 101582 34bc96 101581->101582 101583 34bcb0 101581->101583 102603 339e4a 89 API calls 4 library calls 101582->102603 102604 34a213 59 API calls Mailbox 101583->102604 101586 34bcbb 101587 2d9ea0 330 API calls 101586->101587 101588 34bd1c 101587->101588 101589 34bdae 101588->101589 101592 34bd5d 101588->101592 101605 34bca8 Mailbox 101588->101605 101590 34be04 101589->101590 101591 34bdb4 101589->101591 101593 2d9837 84 API calls 101590->101593 101590->101605 102606 33791a 59 API calls 101591->102606 102605 3372df 59 API calls Mailbox 101592->102605 101594 34be16 101593->101594 101596 2d7e4f 59 API calls 101594->101596 101599 34be3a CharUpperBuffW 101596->101599 101597 34bdd7 102607 2d5d41 59 API calls Mailbox 101597->102607 101604 34be54 101599->101604 101601 34bd8d 101603 2df460 330 API calls 101601->101603 101602 34bddf Mailbox 101608 2dfce0 330 API calls 101602->101608 101603->101605 101606 34bea7 101604->101606 101607 34be5b 101604->101607 101605->101436 101609 2d9837 84 API calls 101606->101609 102608 3372df 59 API calls Mailbox 101607->102608 101608->101605 101610 34beaf 101609->101610 102609 2d9e5d 60 API calls 101610->102609 101613 34be89 101614 2df460 330 API calls 101613->101614 101614->101605 101615 34beb9 101615->101605 101616 2d9837 84 API calls 101615->101616 101617 34bed4 101616->101617 102610 2d5d41 59 API calls Mailbox 101617->102610 101619 34bee4 101620 2dfce0 330 API calls 101619->101620 101620->101605 101621->101440 101623 334475 FindFirstFileW 101622->101623 101624 333c3e 101622->101624 101623->101624 101625 33448a FindClose 101623->101625 101624->101442 101625->101624 101627 2f53b2 __write 101626->101627 101628 2f53de 101627->101628 101629 2f53c6 101627->101629 101636 2f53d6 __write 101628->101636 101639 2f6c11 101628->101639 101661 2f8b28 58 API calls __getptd_noexit 101629->101661 101632 2f53cb 101662 2f8db6 9 API calls _memcpy_s 101632->101662 101636->101485 101640 2f6c43 RtlEnterCriticalSection 101639->101640 101641 2f6c21 101639->101641 101643 2f53f0 101640->101643 101641->101640 101642 2f6c29 101641->101642 101644 2f9c0b __lock 58 API calls 101642->101644 101645 2f533a 101643->101645 101644->101643 101646 2f535d 101645->101646 101647 2f5349 101645->101647 101651 2f5359 101646->101651 101664 2f4a3d 101646->101664 101707 2f8b28 58 API calls __getptd_noexit 101647->101707 101650 2f534e 101708 2f8db6 9 API calls _memcpy_s 101650->101708 101663 2f5415 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 101651->101663 101657 2f5377 101681 300a02 101657->101681 101659 2f537d 101659->101651 101660 2f2d55 _free 58 API calls 101659->101660 101660->101651 101661->101632 101662->101636 101663->101636 101665 2f4a50 101664->101665 101669 2f4a74 101664->101669 101666 2f46e6 _fprintf 58 API calls 101665->101666 101665->101669 101667 2f4a6d 101666->101667 101709 2fd886 101667->101709 101670 300b77 101669->101670 101671 300b84 101670->101671 101673 2f5371 101670->101673 101672 2f2d55 _free 58 API calls 101671->101672 101671->101673 101672->101673 101674 2f46e6 101673->101674 101675 2f4705 101674->101675 101676 2f46f0 101674->101676 101675->101657 101851 2f8b28 58 API calls __getptd_noexit 101676->101851 101678 2f46f5 101852 2f8db6 9 API calls _memcpy_s 101678->101852 101680 2f4700 101680->101657 101682 300a0e __write 101681->101682 101683 300a32 101682->101683 101684 300a1b 101682->101684 101686 300abd 101683->101686 101687 300a42 101683->101687 101868 2f8af4 58 API calls __getptd_noexit 101684->101868 101873 2f8af4 58 API calls __getptd_noexit 101686->101873 101690 300a60 101687->101690 101691 300a6a 101687->101691 101689 300a20 101869 2f8b28 58 API calls __getptd_noexit 101689->101869 101870 2f8af4 58 API calls __getptd_noexit 101690->101870 101695 2fd206 ___lock_fhandle 59 API calls 101691->101695 101692 300a65 101874 2f8b28 58 API calls __getptd_noexit 101692->101874 101697 300a70 101695->101697 101699 300a83 101697->101699 101700 300a8e 101697->101700 101698 300ac9 101875 2f8db6 9 API calls _memcpy_s 101698->101875 101853 300add 101699->101853 101871 2f8b28 58 API calls __getptd_noexit 101700->101871 101703 300a27 __write 101703->101659 101705 300a89 101872 300ab5 RtlLeaveCriticalSection __unlock_fhandle 101705->101872 101707->101650 101708->101651 101710 2fd892 __write 101709->101710 101711 2fd89f 101710->101711 101712 2fd8b6 101710->101712 101810 2f8af4 58 API calls __getptd_noexit 101711->101810 101714 2fd955 101712->101714 101715 2fd8ca 101712->101715 101816 2f8af4 58 API calls __getptd_noexit 101714->101816 101718 2fd8e8 101715->101718 101719 2fd8f2 101715->101719 101717 2fd8a4 101811 2f8b28 58 API calls __getptd_noexit 101717->101811 101812 2f8af4 58 API calls __getptd_noexit 101718->101812 101737 2fd206 101719->101737 101720 2fd8ed 101817 2f8b28 58 API calls __getptd_noexit 101720->101817 101724 2fd8f8 101726 2fd91e 101724->101726 101727 2fd90b 101724->101727 101813 2f8b28 58 API calls __getptd_noexit 101726->101813 101746 2fd975 101727->101746 101728 2fd961 101818 2f8db6 9 API calls _memcpy_s 101728->101818 101732 2fd8ab __write 101732->101669 101733 2fd917 101815 2fd94d RtlLeaveCriticalSection __unlock_fhandle 101733->101815 101734 2fd923 101814 2f8af4 58 API calls __getptd_noexit 101734->101814 101738 2fd212 __write 101737->101738 101739 2fd261 RtlEnterCriticalSection 101738->101739 101741 2f9c0b __lock 58 API calls 101738->101741 101740 2fd287 __write 101739->101740 101740->101724 101742 2fd237 101741->101742 101743 2fd24f 101742->101743 101819 2f9e2b InitializeCriticalSectionAndSpinCount 101742->101819 101820 2fd28b RtlLeaveCriticalSection _doexit 101743->101820 101747 2fd982 __ftell_nolock 101746->101747 101748 2fd9c1 101747->101748 101749 2fd9e0 101747->101749 101777 2fd9b6 101747->101777 101830 2f8af4 58 API calls __getptd_noexit 101748->101830 101752 2fda38 101749->101752 101753 2fda1c 101749->101753 101757 2fda51 101752->101757 101836 3018c1 60 API calls 3 library calls 101752->101836 101833 2f8af4 58 API calls __getptd_noexit 101753->101833 101754 2fe1d6 101754->101733 101755 2fd9c6 101831 2f8b28 58 API calls __getptd_noexit 101755->101831 101821 305c6b 101757->101821 101760 2fd9cd 101832 2f8db6 9 API calls _memcpy_s 101760->101832 101762 2fda21 101834 2f8b28 58 API calls __getptd_noexit 101762->101834 101764 2fda5f 101766 2fddb8 101764->101766 101837 2f99ac 58 API calls 2 library calls 101764->101837 101768 2fe14b WriteFile 101766->101768 101769 2fddd6 101766->101769 101767 2fda28 101835 2f8db6 9 API calls _memcpy_s 101767->101835 101772 2fddab GetLastError 101768->101772 101779 2fdd78 101768->101779 101773 2fdefa 101769->101773 101782 2fddec 101769->101782 101772->101779 101784 2fdf05 101773->101784 101787 2fdfef 101773->101787 101774 2fda8b GetConsoleMode 101774->101766 101776 2fdaca 101774->101776 101775 2fe184 101775->101777 101842 2f8b28 58 API calls __getptd_noexit 101775->101842 101776->101766 101780 2fdada GetConsoleCP 101776->101780 101844 2fc5f6 101777->101844 101779->101775 101779->101777 101786 2fded8 101779->101786 101780->101775 101803 2fdb09 101780->101803 101781 2fde5b WriteFile 101781->101772 101783 2fde98 101781->101783 101782->101775 101782->101781 101783->101782 101804 2fdebc 101783->101804 101784->101775 101788 2fdf6a WriteFile 101784->101788 101785 2fe1b2 101843 2f8af4 58 API calls __getptd_noexit 101785->101843 101790 2fe17b 101786->101790 101791 2fdee3 101786->101791 101787->101775 101792 2fe064 WideCharToMultiByte 101787->101792 101788->101772 101793 2fdfb9 101788->101793 101841 2f8b07 58 API calls 3 library calls 101790->101841 101839 2f8b28 58 API calls __getptd_noexit 101791->101839 101792->101772 101801 2fe0ab 101792->101801 101793->101779 101793->101784 101793->101804 101796 2fe0b3 WriteFile 101799 2fe106 GetLastError 101796->101799 101796->101801 101797 2fdee8 101840 2f8af4 58 API calls __getptd_noexit 101797->101840 101799->101801 101801->101779 101801->101787 101801->101796 101801->101804 101802 307a5e WriteConsoleW CreateFileW __putwch_nolock 101809 2fdc5f 101802->101809 101803->101779 101805 3062ba 60 API calls __write_nolock 101803->101805 101806 2fdbf2 WideCharToMultiByte 101803->101806 101803->101809 101838 2f35f5 58 API calls __isleadbyte_l 101803->101838 101804->101779 101805->101803 101806->101779 101807 2fdc2d WriteFile 101806->101807 101807->101772 101807->101809 101808 2fdc87 WriteFile 101808->101772 101808->101809 101809->101772 101809->101779 101809->101802 101809->101803 101809->101808 101810->101717 101811->101732 101812->101720 101813->101734 101814->101733 101815->101732 101816->101720 101817->101728 101818->101732 101819->101743 101820->101739 101822 305c76 101821->101822 101824 305c83 101821->101824 101823 2f8b28 _memcpy_s 58 API calls 101822->101823 101825 305c7b 101823->101825 101826 305c8f 101824->101826 101827 2f8b28 _memcpy_s 58 API calls 101824->101827 101825->101764 101826->101764 101828 305cb0 101827->101828 101829 2f8db6 _memcpy_s 9 API calls 101828->101829 101829->101825 101830->101755 101831->101760 101832->101777 101833->101762 101834->101767 101835->101777 101836->101757 101837->101774 101838->101803 101839->101797 101840->101777 101841->101777 101842->101785 101843->101777 101845 2fc5fe 101844->101845 101846 2fc600 IsProcessorFeaturePresent 101844->101846 101845->101754 101848 30590a 101846->101848 101849 3058b9 ___raise_securityfailure 5 API calls 101848->101849 101850 3059ed 101849->101850 101850->101754 101851->101678 101852->101680 101876 2fd4c3 101853->101876 101855 300b41 101889 2fd43d 59 API calls 2 library calls 101855->101889 101856 300aeb 101856->101855 101857 300b1f 101856->101857 101859 2fd4c3 __chsize_nolock 58 API calls 101856->101859 101857->101855 101860 2fd4c3 __chsize_nolock 58 API calls 101857->101860 101862 300b16 101859->101862 101863 300b2b CloseHandle 101860->101863 101861 300b49 101864 300b6b 101861->101864 101890 2f8b07 58 API calls 3 library calls 101861->101890 101866 2fd4c3 __chsize_nolock 58 API calls 101862->101866 101863->101855 101867 300b37 GetLastError 101863->101867 101864->101705 101866->101857 101867->101855 101868->101689 101869->101703 101870->101692 101871->101705 101872->101703 101873->101692 101874->101698 101875->101703 101877 2fd4ce 101876->101877 101878 2fd4e3 101876->101878 101891 2f8af4 58 API calls __getptd_noexit 101877->101891 101883 2fd508 101878->101883 101893 2f8af4 58 API calls __getptd_noexit 101878->101893 101880 2fd4d3 101892 2f8b28 58 API calls __getptd_noexit 101880->101892 101883->101856 101884 2fd512 101894 2f8b28 58 API calls __getptd_noexit 101884->101894 101885 2fd4db 101885->101856 101887 2fd51a 101895 2f8db6 9 API calls _memcpy_s 101887->101895 101889->101861 101890->101864 101891->101880 101892->101885 101893->101884 101894->101887 101895->101885 101922 2d7a16 101896->101922 101898 2d646a 101929 2d750f 101898->101929 101900 2d6484 Mailbox 101900->101494 101903 2d750f 59 API calls 101917 2d6265 101903->101917 101904 30dff6 101939 32f8aa 91 API calls 4 library calls 101904->101939 101908 2d7d8c 59 API calls 101908->101917 101909 30e004 101910 2d750f 59 API calls 101909->101910 101912 30e01a 101910->101912 101911 2d6799 _memmove 101940 32f8aa 91 API calls 4 library calls 101911->101940 101912->101900 101913 30df92 101914 2d8029 59 API calls 101913->101914 101916 30df9d 101914->101916 101920 2f0db6 Mailbox 59 API calls 101916->101920 101917->101898 101917->101903 101917->101904 101917->101908 101917->101911 101917->101913 101918 2d7e4f 59 API calls 101917->101918 101927 2d5f6c 60 API calls 101917->101927 101928 2d5d41 59 API calls Mailbox 101917->101928 101937 2d5e72 60 API calls 101917->101937 101938 2d7924 59 API calls 2 library calls 101917->101938 101919 2d643b CharUpperBuffW 101918->101919 101919->101917 101920->101911 101921->101498 101923 2f0db6 Mailbox 59 API calls 101922->101923 101924 2d7a3b 101923->101924 101925 2d8029 59 API calls 101924->101925 101926 2d7a4a 101925->101926 101926->101917 101927->101917 101928->101917 101930 2d75af 101929->101930 101931 2d7522 _memmove 101929->101931 101933 2f0db6 Mailbox 59 API calls 101930->101933 101932 2f0db6 Mailbox 59 API calls 101931->101932 101935 2d7529 101932->101935 101933->101931 101934 2d7552 101934->101900 101935->101934 101936 2f0db6 Mailbox 59 API calls 101935->101936 101936->101934 101937->101917 101938->101917 101939->101909 101940->101900 102140 2d4bb5 101941->102140 101946 2d4e08 LoadLibraryExW 102150 2d4b6a 101946->102150 101947 30d8e6 101949 2d4e4a 84 API calls 101947->101949 101951 30d8ed 101949->101951 101953 2d4b6a 3 API calls 101951->101953 101955 30d8f5 101953->101955 101954 2d4e2f 101954->101955 101956 2d4e3b 101954->101956 102176 2d4f0b 101955->102176 101958 2d4e4a 84 API calls 101956->101958 101960 2d4e40 101958->101960 101960->101516 101960->101518 101962 30d91c 102184 2d4ec7 101962->102184 101966 2d7667 59 API calls 101965->101966 101967 2d45b1 101966->101967 101968 2d7667 59 API calls 101967->101968 101969 2d45b9 101968->101969 101970 2d7667 59 API calls 101969->101970 101971 2d45c1 101970->101971 101972 2d7667 59 API calls 101971->101972 101973 2d45c9 101972->101973 101974 2d45fd 101973->101974 101975 30d4d2 101973->101975 101976 2d784b 59 API calls 101974->101976 101977 2d8047 59 API calls 101975->101977 101978 2d460b 101976->101978 101979 30d4db 101977->101979 101980 2d7d2c 59 API calls 101978->101980 101981 2d7d8c 59 API calls 101979->101981 101982 2d4615 101980->101982 101984 2d4640 101981->101984 101983 2d784b 59 API calls 101982->101983 101982->101984 101987 2d4636 101983->101987 101985 2d4680 101984->101985 101988 2d465f 101984->101988 101998 30d4fb 101984->101998 102455 2d784b 101985->102455 101990 2d7d2c 59 API calls 101987->101990 101992 2d79f2 59 API calls 101988->101992 101989 2d4691 101993 2d46a3 101989->101993 101996 2d8047 59 API calls 101989->101996 101990->101984 101991 30d5cb 101994 2d7bcc 59 API calls 101991->101994 101995 2d4669 101992->101995 101997 2d46b3 101993->101997 101999 2d8047 59 API calls 101993->101999 102011 30d588 101994->102011 101995->101985 102002 2d784b 59 API calls 101995->102002 101996->101993 102001 2d46ba 101997->102001 102003 2d8047 59 API calls 101997->102003 101998->101991 102000 30d5b4 101998->102000 102010 30d532 101998->102010 101999->101997 102000->101991 102006 30d59f 102000->102006 102004 2d8047 59 API calls 102001->102004 102013 2d46c1 Mailbox 102001->102013 102002->101985 102003->102001 102004->102013 102005 2d79f2 59 API calls 102005->102011 102009 2d7bcc 59 API calls 102006->102009 102007 30d590 102008 2d7bcc 59 API calls 102007->102008 102008->102011 102009->102011 102010->102007 102014 30d57b 102010->102014 102011->101985 102011->102005 102468 2d7924 59 API calls 2 library calls 102011->102468 102013->101548 102015 2d7bcc 59 API calls 102014->102015 102015->102011 102017 2d7e4f 59 API calls 102016->102017 102018 2d79fd 102017->102018 102018->101553 102018->101555 102020 30ec6b 102019->102020 102021 2d7b40 102019->102021 102470 327bdb 59 API calls _memmove 102020->102470 102022 2d7a51 59 API calls 102021->102022 102024 2d7b4c 102022->102024 102024->101563 102025 30ec75 102026 2d8047 59 API calls 102025->102026 102027 30ec7d Mailbox 102026->102027 102029 33408d 102028->102029 102030 334092 102029->102030 102031 3340a0 102029->102031 102033 2d8047 59 API calls 102030->102033 102032 2d7667 59 API calls 102031->102032 102034 3340a8 102032->102034 102081 33409b Mailbox 102033->102081 102035 2d7667 59 API calls 102034->102035 102036 3340b0 102035->102036 102037 2d7667 59 API calls 102036->102037 102038 3340bb 102037->102038 102039 2d7667 59 API calls 102038->102039 102040 3340c3 102039->102040 102041 2d7667 59 API calls 102040->102041 102042 3340cb 102041->102042 102043 2d7667 59 API calls 102042->102043 102044 3340d3 102043->102044 102045 2d7667 59 API calls 102044->102045 102046 3340db 102045->102046 102047 2d7667 59 API calls 102046->102047 102048 3340e3 102047->102048 102049 2d459b 59 API calls 102048->102049 102050 3340fa 102049->102050 102051 2d459b 59 API calls 102050->102051 102052 334113 102051->102052 102053 2d79f2 59 API calls 102052->102053 102054 33411f 102053->102054 102055 334132 102054->102055 102056 2d7d2c 59 API calls 102054->102056 102057 2d79f2 59 API calls 102055->102057 102056->102055 102058 33413b 102057->102058 102081->101571 102083 339162 __ftell_nolock 102082->102083 102084 2f0db6 Mailbox 59 API calls 102083->102084 102085 3391bf 102084->102085 102086 2d522e 59 API calls 102085->102086 102087 3391c9 102086->102087 102088 338f5f GetSystemTimeAsFileTime 102087->102088 102089 3391d4 102088->102089 102090 2d4ee5 85 API calls 102089->102090 102091 3391e7 _wcscmp 102090->102091 102092 33920b 102091->102092 102093 3392b8 102091->102093 102490 339734 102092->102490 102095 339734 96 API calls 102093->102095 102110 339284 _wcscat 102095->102110 102098 2d4f0b 74 API calls 102100 3392dd 102098->102100 102099 3392c1 102099->101578 102101 2d4f0b 74 API calls 102100->102101 102103 3392ed 102101->102103 102102 339239 _wcscat _wcscpy 102497 2f40fb 58 API calls __wsplitpath_helper 102102->102497 102104 2d4f0b 74 API calls 102103->102104 102106 339308 102104->102106 102110->102098 102110->102099 102137->101504 102138->101541 102139->101554 102189 2d4c03 102140->102189 102143 2d4c03 2 API calls 102146 2d4bdc 102143->102146 102144 2d4bec FreeLibrary 102145 2d4bf5 102144->102145 102147 2f525b 102145->102147 102146->102144 102146->102145 102193 2f5270 102147->102193 102149 2d4dfc 102149->101946 102149->101947 102274 2d4c36 102150->102274 102153 2d4b8f 102154 2d4baa 102153->102154 102155 2d4ba1 FreeLibrary 102153->102155 102157 2d4c70 102154->102157 102155->102154 102156 2d4c36 2 API calls 102156->102153 102158 2f0db6 Mailbox 59 API calls 102157->102158 102159 2d4c85 102158->102159 102160 2d522e 59 API calls 102159->102160 102161 2d4c91 _memmove 102160->102161 102162 2d4ccc 102161->102162 102164 2d4d89 102161->102164 102165 2d4dc1 102161->102165 102163 2d4ec7 69 API calls 102162->102163 102173 2d4cd5 102163->102173 102278 2d4e89 CreateStreamOnHGlobal 102164->102278 102289 33991b 95 API calls 102165->102289 102168 2d4f0b 74 API calls 102168->102173 102170 2d4d69 102170->101954 102171 30d8a7 102172 2d4ee5 85 API calls 102171->102172 102174 30d8bb 102172->102174 102173->102168 102173->102170 102173->102171 102284 2d4ee5 102173->102284 102175 2d4f0b 74 API calls 102174->102175 102175->102170 102177 2d4f1d 102176->102177 102178 30d9cd 102176->102178 102307 2f55e2 102177->102307 102181 339109 102432 338f5f 102181->102432 102183 33911f 102183->101962 102185 30d990 102184->102185 102186 2d4ed6 102184->102186 102437 2f5c60 102186->102437 102188 2d4ede 102190 2d4bd0 102189->102190 102191 2d4c0c LoadLibraryA 102189->102191 102190->102143 102190->102146 102191->102190 102192 2d4c1d GetProcAddress 102191->102192 102192->102190 102196 2f527c __write 102193->102196 102194 2f528f 102242 2f8b28 58 API calls __getptd_noexit 102194->102242 102196->102194 102198 2f52c0 102196->102198 102197 2f5294 102243 2f8db6 9 API calls _memcpy_s 102197->102243 102212 3004e8 102198->102212 102201 2f52c5 102202 2f52ce 102201->102202 102203 2f52db 102201->102203 102244 2f8b28 58 API calls __getptd_noexit 102202->102244 102204 2f5305 102203->102204 102205 2f52e5 102203->102205 102227 300607 102204->102227 102245 2f8b28 58 API calls __getptd_noexit 102205->102245 102211 2f529f __write @_EH4_CallFilterFunc@8 102211->102149 102213 3004f4 __write 102212->102213 102214 2f9c0b __lock 58 API calls 102213->102214 102225 300502 102214->102225 102215 300576 102247 3005fe 102215->102247 102216 30057d 102252 2f881d 58 API calls 2 library calls 102216->102252 102219 300584 102219->102215 102253 2f9e2b InitializeCriticalSectionAndSpinCount 102219->102253 102220 3005f3 __write 102220->102201 102222 2f9c93 __mtinitlocknum 58 API calls 102222->102225 102224 3005aa RtlEnterCriticalSection 102224->102215 102225->102215 102225->102216 102225->102222 102250 2f6c50 59 API calls __lock 102225->102250 102251 2f6cba RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 102225->102251 102228 300627 __wopenfile 102227->102228 102229 300641 102228->102229 102241 3007fc 102228->102241 102260 2f37cb 60 API calls 2 library calls 102228->102260 102258 2f8b28 58 API calls __getptd_noexit 102229->102258 102231 300646 102259 2f8db6 9 API calls _memcpy_s 102231->102259 102233 2f5310 102246 2f5332 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 102233->102246 102234 30085f 102255 3085a1 102234->102255 102237 3007f5 102237->102241 102261 2f37cb 60 API calls 2 library calls 102237->102261 102239 300814 102239->102241 102262 2f37cb 60 API calls 2 library calls 102239->102262 102241->102229 102241->102234 102242->102197 102243->102211 102244->102211 102245->102211 102246->102211 102254 2f9d75 RtlLeaveCriticalSection 102247->102254 102249 300605 102249->102220 102250->102225 102251->102225 102252->102219 102253->102224 102254->102249 102263 307d85 102255->102263 102257 3085ba 102257->102233 102258->102231 102259->102233 102260->102237 102261->102239 102262->102241 102264 307d91 __write 102263->102264 102265 307da7 102264->102265 102268 307ddd 102264->102268 102266 2f8b28 _memcpy_s 58 API calls 102265->102266 102267 307dac 102266->102267 102270 2f8db6 _memcpy_s 9 API calls 102267->102270 102269 307e4e __wsopen_nolock 109 API calls 102268->102269 102271 307df9 102269->102271 102273 307db6 __write 102270->102273 102272 307e22 __wsopen_helper RtlLeaveCriticalSection 102271->102272 102272->102273 102273->102257 102275 2d4b83 102274->102275 102276 2d4c3f LoadLibraryA 102274->102276 102275->102153 102275->102156 102276->102275 102277 2d4c50 GetProcAddress 102276->102277 102277->102275 102279 2d4ea3 FindResourceExW 102278->102279 102283 2d4ec0 102278->102283 102280 30d933 LoadResource 102279->102280 102279->102283 102281 30d948 SizeofResource 102280->102281 102280->102283 102282 30d95c LockResource 102281->102282 102281->102283 102282->102283 102283->102162 102285 2d4ef4 102284->102285 102286 30d9ab 102284->102286 102290 2f584d 102285->102290 102288 2d4f02 102288->102173 102289->102162 102291 2f5859 __write 102290->102291 102292 2f586b 102291->102292 102293 2f5891 102291->102293 102303 2f8b28 58 API calls __getptd_noexit 102292->102303 102295 2f6c11 __lock_file 59 API calls 102293->102295 102297 2f5897 102295->102297 102296 2f5870 102304 2f8db6 9 API calls _memcpy_s 102296->102304 102305 2f57be 83 API calls 5 library calls 102297->102305 102300 2f58a6 102306 2f58c8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 102300->102306 102302 2f587b __write 102302->102288 102303->102296 102304->102302 102305->102300 102306->102302 102310 2f55fd 102307->102310 102309 2d4f2e 102309->102181 102311 2f5609 __write 102310->102311 102312 2f561f _memset 102311->102312 102313 2f564c 102311->102313 102314 2f5644 __write 102311->102314 102337 2f8b28 58 API calls __getptd_noexit 102312->102337 102315 2f6c11 __lock_file 59 API calls 102313->102315 102314->102309 102317 2f5652 102315->102317 102323 2f541d 102317->102323 102318 2f5639 102338 2f8db6 9 API calls _memcpy_s 102318->102338 102325 2f5438 _memset 102323->102325 102329 2f5453 102323->102329 102324 2f5443 102428 2f8b28 58 API calls __getptd_noexit 102324->102428 102325->102324 102325->102329 102334 2f5493 102325->102334 102327 2f5448 102429 2f8db6 9 API calls _memcpy_s 102327->102429 102339 2f5686 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 102329->102339 102331 2f55a4 _memset 102431 2f8b28 58 API calls __getptd_noexit 102331->102431 102332 2f46e6 _fprintf 58 API calls 102332->102334 102334->102329 102334->102331 102334->102332 102340 300e5b 102334->102340 102408 300ba7 102334->102408 102430 300cc8 58 API calls 3 library calls 102334->102430 102337->102318 102338->102314 102339->102314 102341 300e93 102340->102341 102342 300e7c 102340->102342 102343 3015cb 102341->102343 102347 300ecd 102341->102347 102344 2f8af4 __write 58 API calls 102342->102344 102345 2f8af4 __write 58 API calls 102343->102345 102346 300e81 102344->102346 102348 3015d0 102345->102348 102349 2f8b28 _memcpy_s 58 API calls 102346->102349 102350 300ed5 102347->102350 102357 300eec 102347->102357 102351 2f8b28 _memcpy_s 58 API calls 102348->102351 102389 300e88 102349->102389 102352 2f8af4 __write 58 API calls 102350->102352 102354 300ee1 102351->102354 102353 300eda 102352->102353 102359 2f8b28 _memcpy_s 58 API calls 102353->102359 102355 2f8db6 _memcpy_s 9 API calls 102354->102355 102355->102389 102356 300f01 102360 2f8af4 __write 58 API calls 102356->102360 102357->102356 102358 300f1b 102357->102358 102361 300f39 102357->102361 102357->102389 102358->102356 102363 300f26 102358->102363 102359->102354 102360->102353 102362 2f881d __malloc_crt 58 API calls 102361->102362 102364 300f49 102362->102364 102365 305c6b __read_nolock 58 API calls 102363->102365 102366 300f51 102364->102366 102367 300f6c 102364->102367 102368 30103a 102365->102368 102370 2f8b28 _memcpy_s 58 API calls 102366->102370 102369 3018c1 __lseeki64_nolock 60 API calls 102367->102369 102371 3010b3 ReadFile 102368->102371 102372 301050 GetConsoleMode 102368->102372 102369->102363 102373 300f56 102370->102373 102374 301593 GetLastError 102371->102374 102375 3010d5 102371->102375 102376 3010b0 102372->102376 102377 301064 102372->102377 102378 2f8af4 __write 58 API calls 102373->102378 102379 3015a0 102374->102379 102380 301093 102374->102380 102375->102374 102383 3010a5 102375->102383 102376->102371 102377->102376 102381 30106a ReadConsoleW 102377->102381 102378->102389 102382 2f8b28 _memcpy_s 58 API calls 102379->102382 102385 2f8b07 __dosmaperr 58 API calls 102380->102385 102390 301099 102380->102390 102381->102383 102384 30108d GetLastError 102381->102384 102386 3015a5 102382->102386 102383->102390 102391 30110a 102383->102391 102394 301377 102383->102394 102384->102380 102385->102390 102387 2f8af4 __write 58 API calls 102386->102387 102387->102390 102388 2f2d55 _free 58 API calls 102388->102389 102389->102334 102390->102388 102390->102389 102393 301176 ReadFile 102391->102393 102401 3011f7 102391->102401 102396 301197 GetLastError 102393->102396 102407 3011a1 102393->102407 102394->102390 102395 30147d ReadFile 102394->102395 102400 3014a0 GetLastError 102395->102400 102406 3014ae 102395->102406 102396->102407 102397 3012b4 102402 301264 MultiByteToWideChar 102397->102402 102403 3018c1 __lseeki64_nolock 60 API calls 102397->102403 102398 3012a4 102399 2f8b28 _memcpy_s 58 API calls 102398->102399 102399->102390 102400->102406 102401->102390 102401->102397 102401->102398 102401->102402 102402->102384 102402->102390 102403->102402 102404 3018c1 __lseeki64_nolock 60 API calls 102404->102407 102405 3018c1 __lseeki64_nolock 60 API calls 102405->102406 102406->102394 102406->102405 102407->102391 102407->102404 102409 300bb2 102408->102409 102413 300bc7 102408->102413 102410 2f8b28 _memcpy_s 58 API calls 102409->102410 102411 300bb7 102410->102411 102412 2f8db6 _memcpy_s 9 API calls 102411->102412 102421 300bc2 102412->102421 102414 300bfc 102413->102414 102415 305fe4 __getbuf 58 API calls 102413->102415 102413->102421 102416 2f46e6 _fprintf 58 API calls 102414->102416 102415->102414 102417 300c10 102416->102417 102418 300d47 __read 72 API calls 102417->102418 102419 300c17 102418->102419 102420 2f46e6 _fprintf 58 API calls 102419->102420 102419->102421 102422 300c3a 102420->102422 102421->102334 102422->102421 102423 2f46e6 _fprintf 58 API calls 102422->102423 102424 300c46 102423->102424 102424->102421 102425 2f46e6 _fprintf 58 API calls 102424->102425 102426 300c53 102425->102426 102427 2f46e6 _fprintf 58 API calls 102426->102427 102427->102421 102428->102327 102429->102329 102430->102334 102431->102327 102435 2f520a GetSystemTimeAsFileTime 102432->102435 102434 338f6e 102434->102183 102436 2f5238 __aulldiv 102435->102436 102436->102434 102438 2f5c6c __write 102437->102438 102439 2f5c7e 102438->102439 102440 2f5c93 102438->102440 102451 2f8b28 58 API calls __getptd_noexit 102439->102451 102441 2f6c11 __lock_file 59 API calls 102440->102441 102443 2f5c99 102441->102443 102453 2f58d0 67 API calls 6 library calls 102443->102453 102444 2f5c83 102452 2f8db6 9 API calls _memcpy_s 102444->102452 102447 2f5ca4 102454 2f5cc4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 102447->102454 102449 2f5cb6 102450 2f5c8e __write 102449->102450 102450->102188 102451->102444 102452->102450 102453->102447 102454->102449 102456 2d785a 102455->102456 102457 2d78b7 102455->102457 102456->102457 102459 2d7865 102456->102459 102458 2d7d2c 59 API calls 102457->102458 102465 2d7888 _memmove 102458->102465 102460 30eb09 102459->102460 102461 2d7880 102459->102461 102462 2d8029 59 API calls 102460->102462 102469 2d7f27 59 API calls Mailbox 102461->102469 102464 30eb13 102462->102464 102466 2f0db6 Mailbox 59 API calls 102464->102466 102465->101989 102467 30eb33 102466->102467 102468->102011 102469->102465 102470->102025 102495 339748 __tzset_nolock _wcscmp 102490->102495 102491 2d4f0b 74 API calls 102491->102495 102492 339210 102492->102099 102496 2f40fb 58 API calls __wsplitpath_helper 102492->102496 102493 339109 GetSystemTimeAsFileTime 102493->102495 102494 2d4ee5 85 API calls 102494->102495 102495->102491 102495->102492 102495->102493 102495->102494 102496->102102 102497->102110 102603->101605 102604->101586 102605->101601 102606->101597 102607->101602 102608->101613 102609->101615 102610->101619 102612 2db91a 102611->102612 102613 2dbac7 102611->102613 102612->102613 102614 2dbf81 102612->102614 102616 2db9fc 102612->102616 102624 2dbaab 102612->102624 102613->102614 102617 2dbb46 102613->102617 102620 2dba8b Mailbox 102613->102620 102613->102624 102614->102624 102636 2d94dc 59 API calls wcstoxq 102614->102636 102616->102617 102622 2dba38 102616->102622 102616->102624 102619 311361 102617->102619 102617->102620 102617->102624 102633 326e8f 59 API calls 102617->102633 102619->102624 102634 2f3d46 59 API calls __wtof_l 102619->102634 102620->101363 102620->102619 102620->102624 102635 2d8cd4 59 API calls Mailbox 102620->102635 102622->102620 102623 3111b4 102622->102623 102622->102624 102623->102624 102632 2f3d46 59 API calls __wtof_l 102623->102632 102624->101363 102627->101363 102628->101358 102629->101366 102630->101370 102631->101366 102632->102623 102633->102620 102634->102624 102635->102620 102636->102624 102637->101390 102638 14f9cd8 102652 14f78e8 102638->102652 102640 14f9d90 102655 14f9bc8 102640->102655 102658 14fadd8 GetPEB 102652->102658 102654 14f7f73 102654->102640 102656 14f9bd1 Sleep 102655->102656 102657 14f9bdf 102656->102657 102659 14fae02 102658->102659 102659->102654 102660 2d1055 102665 2d2649 102660->102665 102663 2f2d40 __cinit 67 API calls 102664 2d1064 102663->102664 102666 2d7667 59 API calls 102665->102666 102667 2d26b7 102666->102667 102672 2d3582 102667->102672 102670 2d2754 102671 2d105a 102670->102671 102675 2d3416 59 API calls 2 library calls 102670->102675 102671->102663 102676 2d35b0 102672->102676 102675->102670 102677 2d35bd 102676->102677 102678 2d35a1 102676->102678 102677->102678 102679 2d35c4 RegOpenKeyExW 102677->102679 102678->102670 102679->102678 102680 2d35de RegQueryValueExW 102679->102680 102681 2d35ff 102680->102681 102682 2d3614 RegCloseKey 102680->102682 102681->102682 102682->102678 102683 2f7c56 102684 2f7c62 __write 102683->102684 102720 2f9e08 GetStartupInfoW 102684->102720 102686 2f7c67 102722 2f8b7c GetProcessHeap 102686->102722 102688 2f7cbf 102689 2f7cca 102688->102689 102805 2f7da6 58 API calls 3 library calls 102688->102805 102723 2f9ae6 102689->102723 102692 2f7cd0 102693 2f7cdb __RTC_Initialize 102692->102693 102806 2f7da6 58 API calls 3 library calls 102692->102806 102744 2fd5d2 102693->102744 102696 2f7cea 102697 2f7cf6 GetCommandLineW 102696->102697 102807 2f7da6 58 API calls 3 library calls 102696->102807 102763 304f23 GetEnvironmentStringsW 102697->102763 102700 2f7cf5 102700->102697 102703 2f7d10 102704 2f7d1b 102703->102704 102808 2f30b5 58 API calls 3 library calls 102703->102808 102773 304d58 102704->102773 102707 2f7d21 102708 2f7d2c 102707->102708 102809 2f30b5 58 API calls 3 library calls 102707->102809 102787 2f30ef 102708->102787 102711 2f7d34 102712 2f7d3f __wwincmdln 102711->102712 102810 2f30b5 58 API calls 3 library calls 102711->102810 102793 2d47d0 102712->102793 102715 2f7d53 102716 2f7d62 102715->102716 102811 2f3358 58 API calls _doexit 102715->102811 102812 2f30e0 58 API calls _doexit 102716->102812 102719 2f7d67 __write 102721 2f9e1e 102720->102721 102721->102686 102722->102688 102813 2f3187 36 API calls 2 library calls 102723->102813 102725 2f9aeb 102814 2f9d3c InitializeCriticalSectionAndSpinCount ___lock_fhandle 102725->102814 102727 2f9af0 102728 2f9af4 102727->102728 102816 2f9d8a TlsAlloc 102727->102816 102815 2f9b5c 61 API calls 2 library calls 102728->102815 102731 2f9af9 102731->102692 102732 2f9b06 102732->102728 102733 2f9b11 102732->102733 102817 2f87d5 102733->102817 102736 2f9b53 102825 2f9b5c 61 API calls 2 library calls 102736->102825 102739 2f9b58 102739->102692 102740 2f9b32 102740->102736 102741 2f9b38 102740->102741 102824 2f9a33 58 API calls 4 library calls 102741->102824 102743 2f9b40 GetCurrentThreadId 102743->102692 102745 2fd5de __write 102744->102745 102746 2f9c0b __lock 58 API calls 102745->102746 102747 2fd5e5 102746->102747 102748 2f87d5 __calloc_crt 58 API calls 102747->102748 102750 2fd5f6 102748->102750 102749 2fd661 GetStartupInfoW 102753 2fd7a5 102749->102753 102759 2fd676 102749->102759 102750->102749 102751 2fd601 __write @_EH4_CallFilterFunc@8 102750->102751 102751->102696 102752 2fd86d 102839 2fd87d RtlLeaveCriticalSection _doexit 102752->102839 102753->102752 102756 2fd7f2 GetStdHandle 102753->102756 102758 2fd805 GetFileType 102753->102758 102838 2f9e2b InitializeCriticalSectionAndSpinCount 102753->102838 102755 2f87d5 __calloc_crt 58 API calls 102755->102759 102756->102753 102757 2fd6c4 102757->102753 102760 2fd6f8 GetFileType 102757->102760 102837 2f9e2b InitializeCriticalSectionAndSpinCount 102757->102837 102758->102753 102759->102753 102759->102755 102759->102757 102760->102757 102764 2f7d06 102763->102764 102765 304f34 102763->102765 102769 304b1b GetModuleFileNameW 102764->102769 102840 2f881d 58 API calls 2 library calls 102765->102840 102767 304f5a _memmove 102768 304f70 FreeEnvironmentStringsW 102767->102768 102768->102764 102770 304b4f _wparse_cmdline 102769->102770 102772 304b8f _wparse_cmdline 102770->102772 102841 2f881d 58 API calls 2 library calls 102770->102841 102772->102703 102774 304d71 __NMSG_WRITE 102773->102774 102778 304d69 102773->102778 102775 2f87d5 __calloc_crt 58 API calls 102774->102775 102783 304d9a __NMSG_WRITE 102775->102783 102776 304df1 102777 2f2d55 _free 58 API calls 102776->102777 102777->102778 102778->102707 102779 2f87d5 __calloc_crt 58 API calls 102779->102783 102780 304e16 102782 2f2d55 _free 58 API calls 102780->102782 102782->102778 102783->102776 102783->102778 102783->102779 102783->102780 102784 304e2d 102783->102784 102842 304607 58 API calls _memcpy_s 102783->102842 102843 2f8dc6 IsProcessorFeaturePresent 102784->102843 102786 304e39 102786->102707 102790 2f30fb __IsNonwritableInCurrentImage 102787->102790 102789 2f3119 __initterm_e 102791 2f2d40 __cinit 67 API calls 102789->102791 102792 2f3138 __cinit __IsNonwritableInCurrentImage 102789->102792 102858 2fa4d1 102790->102858 102791->102792 102792->102711 102794 2d47ea 102793->102794 102804 2d4889 102793->102804 102795 2d4824 74A3C8D0 102794->102795 102861 2f336c 102795->102861 102799 2d4850 102873 2d48fd SystemParametersInfoW SystemParametersInfoW 102799->102873 102801 2d485c 102874 2d3b3a 102801->102874 102803 2d4864 SystemParametersInfoW 102803->102804 102804->102715 102805->102689 102806->102693 102807->102700 102811->102716 102812->102719 102813->102725 102814->102727 102815->102731 102816->102732 102820 2f87dc 102817->102820 102819 2f8817 102819->102736 102823 2f9de6 TlsSetValue 102819->102823 102820->102819 102822 2f87fa 102820->102822 102826 3051f6 102820->102826 102822->102819 102822->102820 102834 2fa132 Sleep 102822->102834 102823->102740 102824->102743 102825->102739 102827 305201 102826->102827 102828 30521c 102826->102828 102827->102828 102829 30520d 102827->102829 102831 30522c RtlAllocateHeap 102828->102831 102832 305212 102828->102832 102836 2f33a1 RtlDecodePointer 102828->102836 102835 2f8b28 58 API calls __getptd_noexit 102829->102835 102831->102828 102831->102832 102832->102820 102834->102822 102835->102832 102836->102828 102837->102757 102838->102753 102839->102751 102840->102767 102841->102772 102842->102783 102844 2f8dd1 102843->102844 102849 2f8c59 102844->102849 102848 2f8dec 102848->102786 102850 2f8c73 _memset __call_reportfault 102849->102850 102851 2f8c93 IsDebuggerPresent 102850->102851 102857 2fa155 SetUnhandledExceptionFilter UnhandledExceptionFilter 102851->102857 102853 2fc5f6 __woutput_l 6 API calls 102855 2f8d7a 102853->102855 102854 2f8d57 __call_reportfault 102854->102853 102856 2fa140 GetCurrentProcess TerminateProcess 102855->102856 102856->102848 102857->102854 102859 2fa4d4 RtlEncodePointer 102858->102859 102859->102859 102860 2fa4ee 102859->102860 102860->102789 102862 2f9c0b __lock 58 API calls 102861->102862 102863 2f3377 RtlDecodePointer RtlEncodePointer 102862->102863 102926 2f9d75 RtlLeaveCriticalSection 102863->102926 102865 2d4849 102866 2f33d4 102865->102866 102867 2f33de 102866->102867 102868 2f33f8 102866->102868 102867->102868 102927 2f8b28 58 API calls __getptd_noexit 102867->102927 102868->102799 102870 2f33e8 102928 2f8db6 9 API calls _memcpy_s 102870->102928 102872 2f33f3 102872->102799 102873->102801 102875 2d3b47 __ftell_nolock 102874->102875 102876 2d7667 59 API calls 102875->102876 102877 2d3b51 GetCurrentDirectoryW 102876->102877 102929 2d3766 102877->102929 102879 2d3b7a IsDebuggerPresent 102880 30d272 MessageBoxA 102879->102880 102881 2d3b88 102879->102881 102884 30d28c 102880->102884 102882 2d3c61 102881->102882 102881->102884 102885 2d3ba5 102881->102885 102883 2d3c68 SetCurrentDirectoryW 102882->102883 102886 2d3c75 Mailbox 102883->102886 103062 2d7213 59 API calls Mailbox 102884->103062 103010 2d7285 102885->103010 102886->102803 102890 30d29c 102894 30d2b2 SetCurrentDirectoryW 102890->102894 102894->102886 102926->102865 102927->102870 102928->102872 102930 2d7667 59 API calls 102929->102930 102931 2d377c 102930->102931 103064 2d3d31 102931->103064 102933 2d379a 102934 2d4706 61 API calls 102933->102934 102935 2d37ae 102934->102935 102936 2d7de1 59 API calls 102935->102936 102937 2d37bb 102936->102937 102938 2d4ddd 136 API calls 102937->102938 102939 2d37d4 102938->102939 102940 2d37dc Mailbox 102939->102940 102941 30d173 102939->102941 102944 2d8047 59 API calls 102940->102944 103117 33955b 102941->103117 102947 2d37ef 102944->102947 102945 30d192 102946 2f2d55 _free 58 API calls 102945->102946 102949 30d19f 102946->102949 103078 2d928a 102947->103078 102948 2d4e4a 84 API calls 102948->102945 102951 2d4e4a 84 API calls 102949->102951 102953 30d1a8 102951->102953 102957 2d3ed0 59 API calls 102953->102957 102954 2d7de1 59 API calls 102955 2d3808 102954->102955 102956 2d84c0 69 API calls 102955->102956 102958 2d381a Mailbox 102956->102958 102959 30d1c3 102957->102959 102960 2d7de1 59 API calls 102958->102960 102961 2d3ed0 59 API calls 102959->102961 102962 2d3840 102960->102962 102963 30d1df 102961->102963 102964 2d84c0 69 API calls 102962->102964 102965 2d4706 61 API calls 102963->102965 102966 2d384f Mailbox 102964->102966 102967 30d204 102965->102967 102970 2d7667 59 API calls 102966->102970 102968 2d3ed0 59 API calls 102967->102968 102969 30d210 102968->102969 102971 2d8047 59 API calls 102969->102971 102972 2d386d 102970->102972 102973 30d21e 102971->102973 103081 2d3ed0 102972->103081 102975 2d3ed0 59 API calls 102973->102975 102977 30d22d 102975->102977 102983 2d8047 59 API calls 102977->102983 102979 2d3887 102979->102953 102980 2d3891 102979->102980 102981 2f2efd _W_store_winword 60 API calls 102980->102981 102982 2d389c 102981->102982 102982->102959 102984 2d38a6 102982->102984 102985 30d24f 102983->102985 102986 2f2efd _W_store_winword 60 API calls 102984->102986 102987 2d3ed0 59 API calls 102985->102987 102988 2d38b1 102986->102988 102989 30d25c 102987->102989 102988->102963 102990 2d38bb 102988->102990 102989->102989 102991 2f2efd _W_store_winword 60 API calls 102990->102991 102992 2d38c6 102991->102992 102992->102977 102993 2d3907 102992->102993 102995 2d3ed0 59 API calls 102992->102995 102993->102977 102994 2d3914 102993->102994 103097 2d92ce 102994->103097 102996 2d38ea 102995->102996 102998 2d8047 59 API calls 102996->102998 103000 2d38f8 102998->103000 103002 2d3ed0 59 API calls 103000->103002 103002->102993 103005 2d928a 59 API calls 103007 2d394f 103005->103007 103006 2d8ee0 60 API calls 103006->103007 103007->103005 103007->103006 103008 2d3ed0 59 API calls 103007->103008 103009 2d3995 Mailbox 103007->103009 103008->103007 103009->102879 103011 2d7292 __ftell_nolock 103010->103011 103012 30ea22 _memset 103011->103012 103013 2d72ab 103011->103013 103015 30ea3e 75D3D0D0 103012->103015 103014 2d4750 60 API calls 103013->103014 103016 2d72b4 103014->103016 103017 30ea8d 103015->103017 103167 2f0791 103016->103167 103019 2d7bcc 59 API calls 103017->103019 103021 30eaa2 103019->103021 103021->103021 103023 2d72c9 103185 2d686a 103023->103185 103062->102890 103065 2d3d3e __ftell_nolock 103064->103065 103066 2d3ea4 Mailbox 103065->103066 103067 2d7bcc 59 API calls 103065->103067 103066->102933 103068 2d3d70 103067->103068 103069 2d79f2 59 API calls 103068->103069 103077 2d3da6 Mailbox 103068->103077 103069->103068 103070 2d3e77 103070->103066 103071 2d7de1 59 API calls 103070->103071 103073 2d3e98 103071->103073 103072 2d7de1 59 API calls 103072->103077 103074 2d3f74 59 API calls 103073->103074 103074->103066 103075 2d79f2 59 API calls 103075->103077 103076 2d3f74 59 API calls 103076->103077 103077->103066 103077->103070 103077->103072 103077->103075 103077->103076 103079 2f0db6 Mailbox 59 API calls 103078->103079 103080 2d37fb 103079->103080 103080->102954 103082 2d3eda 103081->103082 103083 2d3ef3 103081->103083 103084 2d8047 59 API calls 103082->103084 103085 2d7bcc 59 API calls 103083->103085 103086 2d3879 103084->103086 103085->103086 103087 2f2efd 103086->103087 103088 2f2f7e 103087->103088 103089 2f2f09 103087->103089 103154 2f2f90 60 API calls 3 library calls 103088->103154 103095 2f2f2e 103089->103095 103152 2f8b28 58 API calls __getptd_noexit 103089->103152 103092 2f2f8b 103092->102979 103093 2f2f15 103153 2f8db6 9 API calls _memcpy_s 103093->103153 103095->102979 103096 2f2f20 103096->102979 103098 2d92d6 103097->103098 103099 2f0db6 Mailbox 59 API calls 103098->103099 103100 2d92e4 103099->103100 103102 2d3924 103100->103102 103155 2d91fc 59 API calls Mailbox 103100->103155 103103 2d9050 103102->103103 103156 2d9160 103103->103156 103105 2d905f 103106 2f0db6 Mailbox 59 API calls 103105->103106 103107 2d3932 103105->103107 103106->103107 103108 2d8ee0 103107->103108 103109 30f17c 103108->103109 103111 2d8ef7 103108->103111 103109->103111 103166 2d8bdb 59 API calls Mailbox 103109->103166 103112 2d8fff 103111->103112 103113 2d8ff8 103111->103113 103114 2d9040 103111->103114 103112->103007 103116 2f0db6 Mailbox 59 API calls 103113->103116 103165 2d9d3c 60 API calls Mailbox 103114->103165 103116->103112 103118 2d4ee5 85 API calls 103117->103118 103119 3395ca 103118->103119 103120 339734 96 API calls 103119->103120 103121 3395dc 103120->103121 103122 2d4f0b 74 API calls 103121->103122 103150 30d186 103121->103150 103123 3395f7 103122->103123 103124 2d4f0b 74 API calls 103123->103124 103125 339607 103124->103125 103126 2d4f0b 74 API calls 103125->103126 103127 339622 103126->103127 103128 2d4f0b 74 API calls 103127->103128 103129 33963d 103128->103129 103130 2d4ee5 85 API calls 103129->103130 103131 339654 103130->103131 103132 2f571c __crtCompareStringA_stat 58 API calls 103131->103132 103133 33965b 103132->103133 103134 2f571c __crtCompareStringA_stat 58 API calls 103133->103134 103135 339665 103134->103135 103136 2d4f0b 74 API calls 103135->103136 103137 339679 103136->103137 103138 339109 GetSystemTimeAsFileTime 103137->103138 103139 33968c 103138->103139 103140 3396a1 103139->103140 103141 3396b6 103139->103141 103142 2f2d55 _free 58 API calls 103140->103142 103143 33971b 103141->103143 103144 3396bc 103141->103144 103145 3396a7 103142->103145 103147 2f2d55 _free 58 API calls 103143->103147 103146 338b06 116 API calls 103144->103146 103148 2f2d55 _free 58 API calls 103145->103148 103149 339713 103146->103149 103147->103150 103148->103150 103151 2f2d55 _free 58 API calls 103149->103151 103150->102945 103150->102948 103151->103150 103152->103093 103153->103096 103154->103092 103155->103102 103157 2d9169 Mailbox 103156->103157 103158 30f19f 103157->103158 103163 2d9173 103157->103163 103159 2f0db6 Mailbox 59 API calls 103158->103159 103161 30f1ab 103159->103161 103160 2d917a 103160->103105 103163->103160 103164 2d9c90 59 API calls Mailbox 103163->103164 103164->103163 103165->103112 103166->103111 103168 2f079e __ftell_nolock 103167->103168 103169 2f079f GetLongPathNameW 103168->103169 103170 2d7bcc 59 API calls 103169->103170 103171 2d72bd 103170->103171 103172 2d700b 103171->103172 103173 2d7667 59 API calls 103172->103173 103174 2d701d 103173->103174 103175 2d4750 60 API calls 103174->103175 103176 2d7028 103175->103176 103177 30e885 103176->103177 103178 2d7033 103176->103178 103183 30e89f 103177->103183 103225 2d7908 61 API calls 103177->103225 103180 2d3f74 59 API calls 103178->103180 103181 2d703f 103180->103181 103219 2d34c2 103181->103219 103184 2d7052 Mailbox 103184->103023 103220 2d34f3 _memmove 103219->103220 103221 2d34d4 103219->103221 103222 2f0db6 Mailbox 59 API calls 103220->103222 103224 2f0db6 Mailbox 59 API calls 103221->103224 103223 2d350a 103222->103223 103223->103184 103224->103220 103225->103177 103408 2d1016 103413 2d4974 103408->103413 103411 2f2d40 __cinit 67 API calls 103412 2d1025 103411->103412 103414 2f0db6 Mailbox 59 API calls 103413->103414 103415 2d497c 103414->103415 103416 2d101b 103415->103416 103420 2d4936 103415->103420 103416->103411 103421 2d493f 103420->103421 103422 2d4951 103420->103422 103423 2f2d40 __cinit 67 API calls 103421->103423 103424 2d49a0 103422->103424 103423->103422 103425 2d7667 59 API calls 103424->103425 103426 2d49b8 GetVersionExW 103425->103426 103427 2d7bcc 59 API calls 103426->103427 103428 2d49fb 103427->103428 103429 2d7d2c 59 API calls 103428->103429 103432 2d4a28 103428->103432 103430 2d4a1c 103429->103430 103431 2d7726 59 API calls 103430->103431 103431->103432 103433 2d4a93 GetCurrentProcess IsWow64Process 103432->103433 103435 30d864 103432->103435 103434 2d4aac 103433->103434 103436 2d4b2b GetSystemInfo 103434->103436 103437 2d4ac2 103434->103437 103438 2d4af8 103436->103438 103448 2d4b37 103437->103448 103438->103416 103441 2d4b1f GetSystemInfo 103443 2d4ae9 103441->103443 103442 2d4ad4 103444 2d4b37 2 API calls 103442->103444 103443->103438 103445 2d4aef FreeLibrary 103443->103445 103446 2d4adc GetNativeSystemInfo 103444->103446 103445->103438 103446->103443 103449 2d4ad0 103448->103449 103450 2d4b40 LoadLibraryA 103448->103450 103449->103441 103449->103442 103450->103449 103451 2d4b51 GetProcAddress 103450->103451 103451->103449 103452 2d1066 103457 2df76f 103452->103457 103454 2d106c 103455 2f2d40 __cinit 67 API calls 103454->103455 103456 2d1076 103455->103456 103458 2df790 103457->103458 103490 2eff03 103458->103490 103462 2df7d7 103463 2d7667 59 API calls 103462->103463 103464 2df7e1 103463->103464 103465 2d7667 59 API calls 103464->103465 103466 2df7eb 103465->103466 103467 2d7667 59 API calls 103466->103467 103468 2df7f5 103467->103468 103469 2d7667 59 API calls 103468->103469 103470 2df833 103469->103470 103471 2d7667 59 API calls 103470->103471 103472 2df8fe 103471->103472 103500 2e5f87 103472->103500 103476 2df930 103477 2d7667 59 API calls 103476->103477 103478 2df93a 103477->103478 103528 2efd9e 103478->103528 103480 2df981 103481 2df991 GetStdHandle 103480->103481 103482 2df9dd 103481->103482 103483 3145ab 103481->103483 103484 2df9e5 OleInitialize 103482->103484 103483->103482 103485 3145b4 103483->103485 103484->103454 103535 336b38 64 API calls Mailbox 103485->103535 103487 3145bb 103536 337207 CreateThread 103487->103536 103489 3145c7 CloseHandle 103489->103484 103537 2effdc 103490->103537 103493 2effdc 59 API calls 103494 2eff45 103493->103494 103495 2d7667 59 API calls 103494->103495 103496 2eff51 103495->103496 103497 2d7bcc 59 API calls 103496->103497 103498 2df796 103497->103498 103499 2f0162 6 API calls 103498->103499 103499->103462 103501 2d7667 59 API calls 103500->103501 103502 2e5f97 103501->103502 103503 2d7667 59 API calls 103502->103503 103504 2e5f9f 103503->103504 103544 2e5a9d 103504->103544 103507 2e5a9d 59 API calls 103508 2e5faf 103507->103508 103509 2d7667 59 API calls 103508->103509 103510 2e5fba 103509->103510 103511 2f0db6 Mailbox 59 API calls 103510->103511 103512 2df908 103511->103512 103513 2e60f9 103512->103513 103514 2e6107 103513->103514 103515 2d7667 59 API calls 103514->103515 103516 2e6112 103515->103516 103517 2d7667 59 API calls 103516->103517 103518 2e611d 103517->103518 103519 2d7667 59 API calls 103518->103519 103520 2e6128 103519->103520 103521 2d7667 59 API calls 103520->103521 103522 2e6133 103521->103522 103523 2e5a9d 59 API calls 103522->103523 103524 2e613e 103523->103524 103525 2f0db6 Mailbox 59 API calls 103524->103525 103526 2e6145 RegisterClipboardFormatW 103525->103526 103526->103476 103529 2efdae 103528->103529 103530 32576f 103528->103530 103531 2f0db6 Mailbox 59 API calls 103529->103531 103547 339ae7 60 API calls 103530->103547 103533 2efdb6 103531->103533 103533->103480 103534 32577a 103535->103487 103536->103489 103548 3371ed 65 API calls 103536->103548 103538 2d7667 59 API calls 103537->103538 103539 2effe7 103538->103539 103540 2d7667 59 API calls 103539->103540 103541 2effef 103540->103541 103542 2d7667 59 API calls 103541->103542 103543 2eff3b 103542->103543 103543->103493 103545 2d7667 59 API calls 103544->103545 103546 2e5aa5 103545->103546 103546->103507 103547->103534 103549 30fdfc 103583 2dab30 Mailbox _memmove 103549->103583 103551 32617e Mailbox 59 API calls 103573 2da057 103551->103573 103555 310055 103651 339e4a 89 API calls 4 library calls 103555->103651 103557 2f0db6 59 API calls Mailbox 103572 2d9f37 Mailbox 103557->103572 103559 2db900 60 API calls 103559->103572 103560 2db475 103563 2d8047 59 API calls 103560->103563 103561 310064 103562 2d8047 59 API calls 103562->103572 103563->103573 103565 2db47a 103565->103555 103576 3109e5 103565->103576 103568 2d7667 59 API calls 103568->103572 103569 326e8f 59 API calls 103569->103572 103570 2f2d40 67 API calls __cinit 103570->103572 103571 2d7de1 59 API calls 103571->103583 103572->103555 103572->103557 103572->103559 103572->103560 103572->103562 103572->103565 103572->103568 103572->103569 103572->103570 103572->103573 103574 3109d6 103572->103574 103577 2da55a 103572->103577 103645 2dc8c0 331 API calls 2 library calls 103572->103645 103656 339e4a 89 API calls 4 library calls 103574->103656 103657 339e4a 89 API calls 4 library calls 103576->103657 103655 339e4a 89 API calls 4 library calls 103577->103655 103578 34bc6b 331 API calls 103578->103583 103580 2db2b6 103649 2df6a3 331 API calls 103580->103649 103581 2d9ea0 331 API calls 103581->103583 103583->103571 103583->103572 103583->103573 103583->103578 103583->103580 103583->103581 103584 31086a 103583->103584 103586 310878 103583->103586 103588 31085c 103583->103588 103589 2db21c 103583->103589 103591 2f0db6 59 API calls Mailbox 103583->103591 103594 2db525 103583->103594 103595 326e8f 59 API calls 103583->103595 103598 34df23 103583->103598 103601 34df37 103583->103601 103604 34c2e0 103583->103604 103636 337956 103583->103636 103642 32617e 103583->103642 103646 2d9c90 59 API calls Mailbox 103583->103646 103650 34c193 85 API calls 2 library calls 103583->103650 103653 2d9c90 59 API calls Mailbox 103584->103653 103654 339e4a 89 API calls 4 library calls 103586->103654 103588->103551 103588->103573 103647 2d9d3c 60 API calls Mailbox 103589->103647 103591->103583 103592 2db22d 103648 2d9d3c 60 API calls Mailbox 103592->103648 103652 339e4a 89 API calls 4 library calls 103594->103652 103595->103583 103658 34cadd 103598->103658 103600 34df33 103600->103583 103602 34cadd 130 API calls 103601->103602 103603 34df47 103602->103603 103603->103583 103605 2d7667 59 API calls 103604->103605 103606 34c2f4 103605->103606 103607 2d7667 59 API calls 103606->103607 103608 34c2fc 103607->103608 103609 2d7667 59 API calls 103608->103609 103610 34c304 103609->103610 103611 2d9837 84 API calls 103610->103611 103614 34c312 103611->103614 103612 2d7bcc 59 API calls 103612->103614 103613 2d7924 59 API calls 103613->103614 103614->103612 103614->103613 103615 34c528 Mailbox 103614->103615 103617 34c4e2 103614->103617 103618 34c4fd 103614->103618 103619 2d8047 59 API calls 103614->103619 103624 2d7e4f 59 API calls 103614->103624 103627 2d7e4f 59 API calls 103614->103627 103629 34c4fb 103614->103629 103633 2d7cab 59 API calls 103614->103633 103634 2d9837 84 API calls 103614->103634 103635 2d7b2e 59 API calls 103614->103635 103615->103583 103620 2d7cab 59 API calls 103617->103620 103621 2d7cab 59 API calls 103618->103621 103619->103614 103622 34c4ef 103620->103622 103623 34c50c 103621->103623 103625 2d7b2e 59 API calls 103622->103625 103626 2d7b2e 59 API calls 103623->103626 103628 34c3a9 CharUpperBuffW 103624->103628 103625->103629 103626->103629 103630 34c469 CharUpperBuffW 103627->103630 103748 2d843a 68 API calls 103628->103748 103629->103615 103750 2d9a3c 59 API calls Mailbox 103629->103750 103749 2dc5a7 69 API calls 2 library calls 103630->103749 103633->103614 103634->103614 103635->103614 103637 337962 103636->103637 103638 2f0db6 Mailbox 59 API calls 103637->103638 103639 337970 103638->103639 103640 33797e 103639->103640 103641 2d7667 59 API calls 103639->103641 103640->103583 103641->103640 103751 3260c0 103642->103751 103644 32618c 103644->103583 103645->103572 103646->103583 103647->103592 103648->103580 103649->103594 103650->103583 103651->103561 103652->103588 103653->103588 103654->103588 103655->103573 103656->103576 103657->103573 103659 2d9837 84 API calls 103658->103659 103660 34cb1a 103659->103660 103684 34cb61 Mailbox 103660->103684 103696 34d7a5 103660->103696 103662 34cdb9 103663 34cf2e 103662->103663 103667 34cdc7 103662->103667 103735 34d8c8 92 API calls Mailbox 103663->103735 103666 34cf3d 103666->103667 103669 34cf49 103666->103669 103709 34c96e 103667->103709 103668 2d9837 84 API calls 103687 34cbb2 Mailbox 103668->103687 103669->103684 103674 34ce00 103724 2f0c08 103674->103724 103677 34ce33 103680 2d92ce 59 API calls 103677->103680 103678 34ce1a 103730 339e4a 89 API calls 4 library calls 103678->103730 103681 34ce3f 103680->103681 103683 2d9050 59 API calls 103681->103683 103682 34ce25 GetCurrentProcess TerminateProcess 103682->103677 103685 34ce55 103683->103685 103684->103600 103694 34ce7c 103685->103694 103731 2d8d40 59 API calls Mailbox 103685->103731 103687->103662 103687->103668 103687->103684 103728 34fbce 59 API calls 2 library calls 103687->103728 103729 34cfdf 61 API calls 2 library calls 103687->103729 103688 34cfa4 103688->103684 103692 34cfb8 FreeLibrary 103688->103692 103689 34ce6b 103732 34d649 107 API calls _free 103689->103732 103692->103684 103694->103688 103733 2d8d40 59 API calls Mailbox 103694->103733 103734 2d9d3c 60 API calls Mailbox 103694->103734 103736 34d649 107 API calls _free 103694->103736 103697 2d7e4f 59 API calls 103696->103697 103698 34d7c0 CharLowerBuffW 103697->103698 103737 32f167 103698->103737 103702 2d7667 59 API calls 103703 34d7f9 103702->103703 103704 2d784b 59 API calls 103703->103704 103705 34d810 103704->103705 103707 2d7d2c 59 API calls 103705->103707 103706 34d858 Mailbox 103706->103687 103708 34d81c Mailbox 103707->103708 103708->103706 103744 34cfdf 61 API calls 2 library calls 103708->103744 103710 34c989 103709->103710 103714 34c9de 103709->103714 103711 2f0db6 Mailbox 59 API calls 103710->103711 103713 34c9ab 103711->103713 103712 2f0db6 Mailbox 59 API calls 103712->103713 103713->103712 103713->103714 103715 34da50 103714->103715 103716 34dc79 Mailbox 103715->103716 103723 34da73 _strcat _wcscpy __NMSG_WRITE 103715->103723 103716->103674 103717 2d9be6 59 API calls 103717->103723 103718 2d9b3c 59 API calls 103718->103723 103719 2d9b98 59 API calls 103719->103723 103720 2d9837 84 API calls 103720->103723 103721 2f571c 58 API calls __crtCompareStringA_stat 103721->103723 103723->103716 103723->103717 103723->103718 103723->103719 103723->103720 103723->103721 103747 335887 61 API calls 2 library calls 103723->103747 103725 2f0c1d 103724->103725 103726 2f0cb5 VirtualProtect 103725->103726 103727 2f0c83 103725->103727 103726->103727 103727->103677 103727->103678 103728->103687 103729->103687 103730->103682 103731->103689 103732->103694 103733->103694 103734->103694 103735->103666 103736->103694 103738 32f192 __NMSG_WRITE 103737->103738 103741 32f1c7 103738->103741 103742 32f278 103738->103742 103743 32f1d1 103738->103743 103741->103743 103745 2d78c4 61 API calls 103741->103745 103742->103743 103746 2d78c4 61 API calls 103742->103746 103743->103702 103743->103708 103744->103706 103745->103741 103746->103742 103747->103723 103748->103614 103749->103614 103750->103615 103752 3260cb 103751->103752 103753 3260e8 103751->103753 103752->103753 103755 3260ab 59 API calls Mailbox 103752->103755 103753->103644 103755->103752 103756 2d3633 103757 2d366a 103756->103757 103758 2d3688 103757->103758 103759 2d36e7 103757->103759 103800 2d36e5 103757->103800 103763 2d374b PostQuitMessage 103758->103763 103764 2d3695 103758->103764 103761 2d36ed 103759->103761 103762 30d0cc 103759->103762 103760 2d36ca NtdllDefWindowProc_W 103797 2d36d8 103760->103797 103765 2d3715 SetTimer RegisterClipboardFormatW 103761->103765 103766 2d36f2 103761->103766 103811 2e1070 10 API calls Mailbox 103762->103811 103763->103797 103768 30d154 103764->103768 103769 2d36a0 103764->103769 103773 2d373e CreatePopupMenu 103765->103773 103765->103797 103770 2d36f9 KillTimer 103766->103770 103771 30d06f 103766->103771 103816 332527 71 API calls _memset 103768->103816 103774 2d36a8 103769->103774 103775 2d3755 103769->103775 103808 2d443a Shell_NotifyIconW _memset 103770->103808 103777 30d074 103771->103777 103778 30d0a8 MoveWindow 103771->103778 103772 30d0f3 103812 2e1093 331 API calls Mailbox 103772->103812 103773->103797 103781 30d139 103774->103781 103782 2d36b3 103774->103782 103801 2d44a0 103775->103801 103785 30d097 SetFocus 103777->103785 103786 30d078 103777->103786 103778->103797 103781->103760 103815 327c36 59 API calls Mailbox 103781->103815 103788 2d36be 103782->103788 103789 30d124 103782->103789 103783 30d166 103783->103760 103783->103797 103785->103797 103786->103788 103790 30d081 103786->103790 103787 2d370c 103809 2d3114 DeleteObject DestroyWindow Mailbox 103787->103809 103788->103760 103813 2d443a Shell_NotifyIconW _memset 103788->103813 103814 332d36 81 API calls _memset 103789->103814 103810 2e1070 10 API calls Mailbox 103790->103810 103795 30d134 103795->103797 103798 30d118 103799 2d434a 68 API calls 103798->103799 103799->103800 103800->103760 103802 2d4539 103801->103802 103803 2d44b7 _memset 103801->103803 103802->103797 103804 2d407c 61 API calls 103803->103804 103806 2d44de 103804->103806 103805 2d4522 KillTimer SetTimer 103805->103802 103806->103805 103807 30d4ab Shell_NotifyIconW 103806->103807 103807->103805 103808->103787 103809->103797 103810->103797 103811->103772 103812->103788 103813->103798 103814->103795 103815->103800 103816->103783 103817 31416f 103821 325fe6 103817->103821 103819 31417a 103820 325fe6 85 API calls 103819->103820 103820->103819 103822 326020 103821->103822 103826 325ff3 103821->103826 103822->103819 103823 326022 103833 2d9328 84 API calls Mailbox 103823->103833 103824 326027 103827 2d9837 84 API calls 103824->103827 103826->103822 103826->103823 103826->103824 103830 32601a 103826->103830 103828 32602e 103827->103828 103829 2d7b2e 59 API calls 103828->103829 103829->103822 103832 2d95a0 59 API calls _wcsstr 103830->103832 103832->103822 103833->103824

                                              Executed Functions

                                              Function 002D3B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002D3B68
                                              • IsDebuggerPresent.KERNEL32 ref: 002D3B7A
                                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,003952F8,003952E0,?,?), ref: 002D3BEB
                                                • Part of subcall function 002D7BCC: _memmove.LIBCMT ref: 002D7C06
                                                • Part of subcall function 002E092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002D3C14,003952F8,?,?,?), ref: 002E096E
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 002D3C6F
                                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00387770,00000010), ref: 0030D281
                                              • SetCurrentDirectoryW.KERNEL32(?,003952F8,?,?,?), ref: 0030D2B9
                                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00384260,003952F8,?,?,?), ref: 0030D33F
                                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 0030D346
                                                • Part of subcall function 002D3A46: GetSysColorBrush.USER32(0000000F), ref: 002D3A50
                                                • Part of subcall function 002D3A46: LoadCursorW.USER32(00000000,00007F00), ref: 002D3A5F
                                                • Part of subcall function 002D3A46: LoadIconW.USER32(00000063), ref: 002D3A76
                                                • Part of subcall function 002D3A46: LoadIconW.USER32(000000A4), ref: 002D3A88
                                                • Part of subcall function 002D3A46: LoadIconW.USER32(000000A2), ref: 002D3A9A
                                                • Part of subcall function 002D3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002D3AC0
                                                • Part of subcall function 002D3A46: RegisterClassExW.USER32(?), ref: 002D3B16
                                                • Part of subcall function 002D39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002D3A03
                                                • Part of subcall function 002D39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002D3A24
                                                • Part of subcall function 002D39D5: ShowWindow.USER32(00000000,?,?), ref: 002D3A38
                                                • Part of subcall function 002D39D5: ShowWindow.USER32(00000000,?,?), ref: 002D3A41
                                                • Part of subcall function 002D434A: _memset.LIBCMT ref: 002D4370
                                                • Part of subcall function 002D434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D4415
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                              • String ID: This is a third-party compiled AutoIt script.$runas$%6
                                              • API String ID: 529118366-1744524652
                                              • Opcode ID: cd37da3e7f2a4079162e39e4de42e1bae33044715ccf8f47a1ec17c91ed394bc
                                              • Instruction ID: 7908bf959f4bb1e4a43e736569b1c980cb9475c7bd910e97ec474962b7890e0a
                                              • Opcode Fuzzy Hash: cd37da3e7f2a4079162e39e4de42e1bae33044715ccf8f47a1ec17c91ed394bc
                                              • Instruction Fuzzy Hash: D2510534928248AEDF03EBB4DC169FD7B7DAF08750F1044A7F491A22A1DA715E95CF21
                                              Function 002D3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151timewindowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 758 2d3633-2d3681 760 2d36e1-2d36e3 758->760 761 2d3683-2d3686 758->761 760->761 762 2d36e5 760->762 763 2d3688-2d368f 761->763 764 2d36e7 761->764 765 2d36ca-2d36d2 NtdllDefWindowProc_W 762->765 768 2d374b-2d3753 PostQuitMessage 763->768 769 2d3695-2d369a 763->769 766 2d36ed-2d36f0 764->766 767 30d0cc-30d0fa call 2e1070 call 2e1093 764->767 776 2d36d8-2d36de 765->776 770 2d3715-2d373c SetTimer RegisterClipboardFormatW 766->770 771 2d36f2-2d36f3 766->771 805 30d0ff-30d106 767->805 775 2d3711-2d3713 768->775 773 30d154-30d168 call 332527 769->773 774 2d36a0-2d36a2 769->774 770->775 780 2d373e-2d3749 CreatePopupMenu 770->780 777 2d36f9-2d370c KillTimer call 2d443a call 2d3114 771->777 778 30d06f-30d072 771->778 773->775 799 30d16e 773->799 781 2d36a8-2d36ad 774->781 782 2d3755-2d375f call 2d44a0 774->782 775->776 777->775 784 30d074-30d076 778->784 785 30d0a8-30d0c7 MoveWindow 778->785 780->775 788 30d139-30d140 781->788 789 2d36b3-2d36b8 781->789 800 2d3764 782->800 792 30d097-30d0a3 SetFocus 784->792 793 30d078-30d07b 784->793 785->775 788->765 795 30d146-30d14f call 327c36 788->795 797 2d36be-2d36c4 789->797 798 30d124-30d134 call 332d36 789->798 792->775 793->797 801 30d081-30d092 call 2e1070 793->801 795->765 797->765 797->805 798->775 799->765 800->775 801->775 805->765 809 30d10c-30d11f call 2d443a call 2d434a 805->809 809->765
                                              APIs
                                              • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 002D36D2
                                              • KillTimer.USER32(?,00000001), ref: 002D36FC
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002D371F
                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002D372A
                                              • CreatePopupMenu.USER32 ref: 002D373E
                                              • PostQuitMessage.USER32(00000000), ref: 002D374D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                              • String ID: TaskbarCreated$%6
                                              • API String ID: 157504867-2273749167
                                              • Opcode ID: 2ac878dd3126be02920dab9f55841e59a598fa5589b1ba673878f625849eb796
                                              • Instruction ID: 8f6e94f443dcbfaedae245be72b742b415bedaa6e59aa4854f78980dd9c2130a
                                              • Opcode Fuzzy Hash: 2ac878dd3126be02920dab9f55841e59a598fa5589b1ba673878f625849eb796
                                              • Instruction Fuzzy Hash: 734116B1234906BBEB17EF64DC19B793B9CEB04300F100127F502963E1CAA1DEA097A6
                                              Function 002D49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 989 2d49a0-2d4a00 call 2d7667 GetVersionExW call 2d7bcc 994 2d4b0b-2d4b0d 989->994 995 2d4a06 989->995 996 30d767-30d773 994->996 997 2d4a09-2d4a0e 995->997 998 30d774-30d778 996->998 999 2d4a14 997->999 1000 2d4b12-2d4b13 997->1000 1002 30d77a 998->1002 1003 30d77b-30d787 998->1003 1001 2d4a15-2d4a4c call 2d7d2c call 2d7726 999->1001 1000->1001 1011 30d864-30d867 1001->1011 1012 2d4a52-2d4a53 1001->1012 1002->1003 1003->998 1005 30d789-30d78e 1003->1005 1005->997 1007 30d794-30d79b 1005->1007 1007->996 1009 30d79d 1007->1009 1013 30d7a2-30d7a5 1009->1013 1014 30d880-30d884 1011->1014 1015 30d869 1011->1015 1012->1013 1016 2d4a59-2d4a64 1012->1016 1017 30d7ab-30d7c9 1013->1017 1018 2d4a93-2d4aaa GetCurrentProcess IsWow64Process 1013->1018 1023 30d886-30d88f 1014->1023 1024 30d86f-30d878 1014->1024 1019 30d86c 1015->1019 1020 2d4a6a-2d4a6c 1016->1020 1021 30d7ea-30d7f0 1016->1021 1017->1018 1022 30d7cf-30d7d5 1017->1022 1025 2d4aac 1018->1025 1026 2d4aaf-2d4ac0 1018->1026 1019->1024 1027 30d805-30d811 1020->1027 1028 2d4a72-2d4a75 1020->1028 1031 30d7f2-30d7f5 1021->1031 1032 30d7fa-30d800 1021->1032 1029 30d7d7-30d7da 1022->1029 1030 30d7df-30d7e5 1022->1030 1023->1019 1033 30d891-30d894 1023->1033 1024->1014 1025->1026 1034 2d4b2b-2d4b35 GetSystemInfo 1026->1034 1035 2d4ac2-2d4ad2 call 2d4b37 1026->1035 1039 30d813-30d816 1027->1039 1040 30d81b-30d821 1027->1040 1036 30d831-30d834 1028->1036 1037 2d4a7b-2d4a8a 1028->1037 1029->1018 1030->1018 1031->1018 1032->1018 1033->1024 1038 2d4af8-2d4b08 1034->1038 1046 2d4b1f-2d4b29 GetSystemInfo 1035->1046 1047 2d4ad4-2d4ae1 call 2d4b37 1035->1047 1036->1018 1045 30d83a-30d84f 1036->1045 1042 30d826-30d82c 1037->1042 1043 2d4a90 1037->1043 1039->1018 1040->1018 1042->1018 1043->1018 1048 30d851-30d854 1045->1048 1049 30d859-30d85f 1045->1049 1050 2d4ae9-2d4aed 1046->1050 1054 2d4b18-2d4b1d 1047->1054 1055 2d4ae3-2d4ae7 GetNativeSystemInfo 1047->1055 1048->1018 1049->1018 1050->1038 1052 2d4aef-2d4af2 FreeLibrary 1050->1052 1052->1038 1054->1055 1055->1050
                                              APIs
                                              • GetVersionExW.KERNEL32(?), ref: 002D49CD
                                                • Part of subcall function 002D7BCC: _memmove.LIBCMT ref: 002D7C06
                                              • GetCurrentProcess.KERNEL32(?,0035FAEC,00000000,00000000,?), ref: 002D4A9A
                                              • IsWow64Process.KERNEL32(00000000), ref: 002D4AA1
                                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 002D4AE7
                                              • FreeLibrary.KERNEL32(00000000), ref: 002D4AF2
                                              • GetSystemInfo.KERNEL32(00000000), ref: 002D4B23
                                              • GetSystemInfo.KERNEL32(00000000), ref: 002D4B2F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                              • String ID:
                                              • API String ID: 1986165174-0
                                              • Opcode ID: e2fe8e64acc16f310adeccfbe84fe9423fd3ffef7d000f7342be070862614334
                                              • Instruction ID: 0a28d5442342f2b4baaf8772a2692f35b8dd41f2c0957fe3b6072d6c43dc64bf
                                              • Opcode Fuzzy Hash: e2fe8e64acc16f310adeccfbe84fe9423fd3ffef7d000f7342be070862614334
                                              • Instruction Fuzzy Hash: 6A91A33199A7C1DFC732DB6895601AABFF5AF2A300B4449AFD0CB93B41D270A908C759
                                              Function 002D4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1086 2d4e89-2d4ea1 CreateStreamOnHGlobal 1087 2d4ec1-2d4ec6 1086->1087 1088 2d4ea3-2d4eba FindResourceExW 1086->1088 1089 30d933-30d942 LoadResource 1088->1089 1090 2d4ec0 1088->1090 1089->1090 1091 30d948-30d956 SizeofResource 1089->1091 1090->1087 1091->1090 1092 30d95c-30d967 LockResource 1091->1092 1092->1090 1093 30d96d-30d98b 1092->1093 1093->1090
                                              APIs
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 002D4E99
                                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,002D4D8E,?,?,00000000,00000000), ref: 002D4EB0
                                              • LoadResource.KERNEL32(?,00000000,?,?,002D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,002D4E2F), ref: 0030D937
                                              • SizeofResource.KERNEL32(?,00000000,?,?,002D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,002D4E2F), ref: 0030D94C
                                              • LockResource.KERNEL32(002D4D8E,?,?,002D4D8E,?,?,00000000,00000000,?,?,?,?,?,?,002D4E2F,00000000), ref: 0030D95F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                              • String ID: SCRIPT
                                              • API String ID: 3051347437-3967369404
                                              • Opcode ID: 9f7993fdee6c82f11021902aca928d60d548cc7112de702d10be069d92151d05
                                              • Instruction ID: fb75e846730e723e758519c201d91665c901b7573c4ebfea70e9c0bce71c790c
                                              • Opcode Fuzzy Hash: 9f7993fdee6c82f11021902aca928d60d548cc7112de702d10be069d92151d05
                                              • Instruction Fuzzy Hash: F4114CB5240701BFD7229B65EC48F677BBEEBC5B12F204669F405862A0DB71ED008A61
                                              Function 002DFCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: pb9$%6
                                              • API String ID: 3964851224-553185763
                                              • Opcode ID: 6e84ba757afc8ffbb4d64033f95c5d2d81fa630ea83d15c036e81947c592cd9b
                                              • Instruction ID: 3d42990b6ce984041fff4218e62957015d98b87e035f70198d951dc6e0ea04b0
                                              • Opcode Fuzzy Hash: 6e84ba757afc8ffbb4d64033f95c5d2d81fa630ea83d15c036e81947c592cd9b
                                              • Instruction Fuzzy Hash: E1929B70618381CFD725CF15C480B6AB7E5BF89304F54896DE88A8B352D7B1EC96CB92
                                              Function 00429A50 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(?), ref: 00429B8A
                                              • GetProcAddress.KERNEL32(?,00422FF9), ref: 00429BA8
                                              • ExitProcess.KERNEL32(?,00422FF9), ref: 00429BB9
                                              • VirtualProtect.KERNELBASE(002D0000,00001000,00000004,?,00000000), ref: 00429C07
                                              • VirtualProtect.KERNELBASE(002D0000,00001000), ref: 00429C1C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                              • String ID:
                                              • API String ID: 1996367037-0
                                              • Opcode ID: b6ffb32274f09d373760cf403a306770159d2738ae3d64e2c2419ce9e76b2e35
                                              • Instruction ID: 5eb1c064b41f162f960706c721bef64a65f4a60a866d79b9d7fad5127632be11
                                              • Opcode Fuzzy Hash: b6ffb32274f09d373760cf403a306770159d2738ae3d64e2c2419ce9e76b2e35
                                              • Instruction Fuzzy Hash: 2851E872B543724BD7208D78BC80261BBA4FB52320F98077AD5E5C73C5E7A86C068769
                                              Function 002DE6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: Dd9$Dd9$Dd9$Dd9$Variable must be of type 'Object'.
                                              • API String ID: 0-2151272525
                                              • Opcode ID: d789446a508880aec23c766ededcc902a0ba26f9c5d341897983c8043961089a
                                              • Instruction ID: d830ab34e201353ca3952253f8e513c8141739303785870d4ed89815cb7f1f7d
                                              • Opcode Fuzzy Hash: d789446a508880aec23c766ededcc902a0ba26f9c5d341897983c8043961089a
                                              • Instruction Fuzzy Hash: 13A27A74A20206CFCF24DF58C480AA9B7B6FF59314F26846AE8069F351D771ED92CB90
                                              Function 0033445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?,0030E398), ref: 0033446A
                                              • FindFirstFileW.KERNELBASE(?,?), ref: 0033447B
                                              • FindClose.KERNEL32(00000000), ref: 0033448B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: FileFind$AttributesCloseFirst
                                              • String ID:
                                              • API String ID: 48322524-0
                                              • Opcode ID: 337a7b0b369ba3701790018fed2c7fac275bfdbdbf27d9cda3e48cd3b3ec2486
                                              • Instruction ID: 11614046a9bd5466fd5bf45dd7767c133230180c2849f3281a0ede2623c947a0
                                              • Opcode Fuzzy Hash: 337a7b0b369ba3701790018fed2c7fac275bfdbdbf27d9cda3e48cd3b3ec2486
                                              • Instruction Fuzzy Hash: 63E048764146156B92116B38EC4D4E9775C9F05336F104B25F935C21F0E774A9409696
                                              Function 002E09D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002E0A5B
                                              • timeGetTime.WINMM ref: 002E0D16
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002E0E53
                                              • Sleep.KERNEL32(0000000A), ref: 002E0E61
                                              • LockWindowUpdate.USER32(00000000,?,?), ref: 002E0EFA
                                              • DestroyWindow.USER32 ref: 002E0F06
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 002E0F20
                                              • Sleep.KERNEL32(0000000A,?,?), ref: 00314E83
                                              • TranslateMessage.USER32(?), ref: 00315C60
                                              • DispatchMessageW.USER32(?), ref: 00315C6E
                                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00315C82
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb9$pb9$pb9$pb9
                                              • API String ID: 4212290369-1278813213
                                              • Opcode ID: de8dfaf762357c972328d1678f4d78b36a7e5a12f2abd119be0e27d91660bb69
                                              • Instruction ID: 2d1d9d0f47d19f6c3318977c43fcb475697f934c2d2dfba78c295bf742977402
                                              • Opcode Fuzzy Hash: de8dfaf762357c972328d1678f4d78b36a7e5a12f2abd119be0e27d91660bb69
                                              • Instruction Fuzzy Hash: F8B2E770618741DFD72ADF24C884BAAB7E4BF88304F54491EF589872A1C7B1E8D5CB82
                                              Function 00339155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 00338F5F: __time64.LIBCMT ref: 00338F69
                                                • Part of subcall function 002D4EE5: _fseek.LIBCMT ref: 002D4EFD
                                              • __wsplitpath.LIBCMT ref: 00339234
                                                • Part of subcall function 002F40FB: __wsplitpath_helper.LIBCMT ref: 002F413B
                                              • _wcscpy.LIBCMT ref: 00339247
                                              • _wcscat.LIBCMT ref: 0033925A
                                              • __wsplitpath.LIBCMT ref: 0033927F
                                              • _wcscat.LIBCMT ref: 00339295
                                              • _wcscat.LIBCMT ref: 003392A8
                                                • Part of subcall function 00338FA5: _memmove.LIBCMT ref: 00338FDE
                                                • Part of subcall function 00338FA5: _memmove.LIBCMT ref: 00338FED
                                              • _wcscmp.LIBCMT ref: 003391EF
                                                • Part of subcall function 00339734: _wcscmp.LIBCMT ref: 00339824
                                                • Part of subcall function 00339734: _wcscmp.LIBCMT ref: 00339837
                                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00339452
                                              • _wcsncpy.LIBCMT ref: 003394C5
                                              • DeleteFileW.KERNEL32(?,?), ref: 003394FB
                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00339511
                                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00339522
                                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00339534
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                              • String ID:
                                              • API String ID: 1500180987-0
                                              • Opcode ID: d8a999ed84eaeca72d66ea1aba9a1178c2b44b31815a3866d7fc4f59c44d0fa4
                                              • Instruction ID: 7a3f3a98f9dfc27e807494c79d2ecae798b42fa99579ee738ed3394ca3e93392
                                              • Opcode Fuzzy Hash: d8a999ed84eaeca72d66ea1aba9a1178c2b44b31815a3866d7fc4f59c44d0fa4
                                              • Instruction Fuzzy Hash: 33C12AB1D00219AFDF22DF95CC85EEEB7BDAF55310F0040AAF609E6251DB709A948F61
                                              Function 002D708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 002D4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003952F8,?,002D37AE,?), ref: 002D4724
                                                • Part of subcall function 002F050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,002D7165), ref: 002F052D
                                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002D71A8
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0030E8C8
                                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0030E909
                                              • RegCloseKey.ADVAPI32(?), ref: 0030E947
                                              • _wcscat.LIBCMT ref: 0030E9A0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                              • API String ID: 2673923337-2727554177
                                              • Opcode ID: c12b3661dc49f2794803aa495fe4117331ef5fec23163153b1ca7d5d6beb9a4f
                                              • Instruction ID: c1481ba17c5be81475f182b16f5995855d6b7139b14d4a9e6cea326667e02864
                                              • Opcode Fuzzy Hash: c12b3661dc49f2794803aa495fe4117331ef5fec23163153b1ca7d5d6beb9a4f
                                              • Instruction Fuzzy Hash: 11716D7151A3019EC302EF65E8529ABB7ECFF85350F40492FF485872A1EB769948CB92
                                              Function 002D3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 002D3A50
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 002D3A5F
                                              • LoadIconW.USER32(00000063), ref: 002D3A76
                                              • LoadIconW.USER32(000000A4), ref: 002D3A88
                                              • LoadIconW.USER32(000000A2), ref: 002D3A9A
                                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 002D3AC0
                                              • RegisterClassExW.USER32(?), ref: 002D3B16
                                                • Part of subcall function 002D3041: GetSysColorBrush.USER32(0000000F), ref: 002D3074
                                                • Part of subcall function 002D3041: RegisterClassExW.USER32(00000030), ref: 002D309E
                                                • Part of subcall function 002D3041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002D30AF
                                                • Part of subcall function 002D3041: LoadIconW.USER32(000000A9), ref: 002D30F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                              • String ID: #$0$AutoIt v3
                                              • API String ID: 2880975755-4155596026
                                              • Opcode ID: 7ca88bbd981a6aad1ac1d8bf42b9a2229075edc5dff0e0a45cb224e22e917d69
                                              • Instruction ID: 45896ab8c9800e495488a96663582a41930d15281c4ee351811d6a5decc0f500
                                              • Opcode Fuzzy Hash: 7ca88bbd981a6aad1ac1d8bf42b9a2229075edc5dff0e0a45cb224e22e917d69
                                              • Instruction Fuzzy Hash: 62212B71D10704AFEB13DFA8EC49B9D7BB8FB08711F10056BE544A62B1D3B65A908F94
                                              Function 002D3766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R9
                                              • API String ID: 1825951767-3403265924
                                              • Opcode ID: ae7550ff685a7466069b487b4d7e0f47dcd14d721ede458964a93a769d8f2c59
                                              • Instruction ID: 05529c902c7961a6bd016ea3e957b4cd5fb0ee65d8b9ab543953d8f28bfc0510
                                              • Opcode Fuzzy Hash: ae7550ff685a7466069b487b4d7e0f47dcd14d721ede458964a93a769d8f2c59
                                              • Instruction Fuzzy Hash: E3A15C7192021D9ACF06EBA4DC95EEEB778BF14300F44042AF416A7291EF745E58CFA1
                                              Function 002D301C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71registrywindowclipboardCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 002D3074
                                              • RegisterClassExW.USER32(00000030), ref: 002D309E
                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002D30AF
                                              • LoadIconW.USER32(000000A9), ref: 002D30F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 975902462-1005189915
                                              • Opcode ID: 846b8c359f506217dd9b30e37b23024c6eb3c29a59f822ebd94b1ba5cc1c6881
                                              • Instruction ID: 82abc9ddd8647430134f2bf768433fe3d5d7c90ae703f90232c185c18ea18519
                                              • Opcode Fuzzy Hash: 846b8c359f506217dd9b30e37b23024c6eb3c29a59f822ebd94b1ba5cc1c6881
                                              • Instruction Fuzzy Hash: 1D314AB1941349AFDB02CFA4E849ADDBBF8FB09311F14412AF580E62A0D3B60585CF91
                                              Function 002D3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetSysColorBrush.USER32(0000000F), ref: 002D3074
                                              • RegisterClassExW.USER32(00000030), ref: 002D309E
                                              • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 002D30AF
                                              • LoadIconW.USER32(000000A9), ref: 002D30F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                              • API String ID: 975902462-1005189915
                                              • Opcode ID: 63989188c466260a67e1487ffc034b7e3d5d0b9ec07fe4320a23060f7b2372f2
                                              • Instruction ID: 6f636227406351f19e0705e8a9506a3a0f9789f246346ba6f110709e1e39ad3e
                                              • Opcode Fuzzy Hash: 63989188c466260a67e1487ffc034b7e3d5d0b9ec07fe4320a23060f7b2372f2
                                              • Instruction Fuzzy Hash: E321C7B1915718AFDB02DFA4EC49BDDBBF8FB08711F04412AF910A72A0D7B245848F91
                                              Function 002DF76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 002F0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 002F0193
                                                • Part of subcall function 002F0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 002F019B
                                                • Part of subcall function 002F0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002F01A6
                                                • Part of subcall function 002F0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002F01B1
                                                • Part of subcall function 002F0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 002F01B9
                                                • Part of subcall function 002F0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 002F01C1
                                                • Part of subcall function 002E60F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 002E6154
                                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 002DF9CD
                                              • OleInitialize.OLE32(00000000), ref: 002DFA4A
                                              • CloseHandle.KERNEL32(00000000), ref: 003145C8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                              • String ID: <W9$\T9$%6$S9
                                              • API String ID: 3094916012-4158544577
                                              • Opcode ID: a6f9fd39c6dca95c848d87ca1cff025dbe913bc72fb040516e912d80973d6847
                                              • Instruction ID: 88ca45500b0289d2a63f9280c62eb4523fdcdc53293cb5efcbabe6f8880e9072
                                              • Opcode Fuzzy Hash: a6f9fd39c6dca95c848d87ca1cff025dbe913bc72fb040516e912d80973d6847
                                              • Instruction Fuzzy Hash: 4A81DCB4955A808FC787DF7AA9816197BEDEB58306F90812B9009CB372EB7244C58F51
                                              Function 014F8208 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1056 14f8208-14f825a call 14f8108 CreateFileW 1059 14f825c-14f825e 1056->1059 1060 14f8263-14f8270 1056->1060 1061 14f83bc-14f83c0 1059->1061 1063 14f8283-14f829a VirtualAlloc 1060->1063 1064 14f8272-14f827e 1060->1064 1065 14f829c-14f829e 1063->1065 1066 14f82a3-14f82c9 CreateFileW 1063->1066 1064->1061 1065->1061 1068 14f82ed-14f8307 ReadFile 1066->1068 1069 14f82cb-14f82e8 1066->1069 1070 14f832b-14f832f 1068->1070 1071 14f8309-14f8326 1068->1071 1069->1061 1072 14f8331-14f834e 1070->1072 1073 14f8350-14f8367 WriteFile 1070->1073 1071->1061 1072->1061 1076 14f8369-14f8390 1073->1076 1077 14f8392-14f83b7 CloseHandle VirtualFree 1073->1077 1076->1061 1077->1061
                                              APIs
                                              • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 014F824D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CreateFile
                                              • String ID:
                                              • API String ID: 823142352-0
                                              • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                              • Instruction ID: 11acce0b5630a2bb76955c66145dc30a15bca9408c1fd0f4f4f63b621ee56da7
                                              • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                              • Instruction Fuzzy Hash: 5F510975A50209FBEF20DFA4CC49FDE7778AF48700F108519F71AEE290DA75AA458B60
                                              Function 002D39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1096 2d39d5-2d3a45 CreateWindowExW * 2 ShowWindow * 2
                                              APIs
                                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 002D3A03
                                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 002D3A24
                                              • ShowWindow.USER32(00000000,?,?), ref: 002D3A38
                                              • ShowWindow.USER32(00000000,?,?), ref: 002D3A41
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$CreateShow
                                              • String ID: AutoIt v3$edit
                                              • API String ID: 1584632944-3779509399
                                              • Opcode ID: 22fe9f6f7654ae9da63da9b69c4bf6fef3f315b6f23a1ff9e6ec03f1d672f210
                                              • Instruction ID: edb3ee666ce49476666ced3694c682feff83acd2fc40daab246d621907607725
                                              • Opcode Fuzzy Hash: 22fe9f6f7654ae9da63da9b69c4bf6fef3f315b6f23a1ff9e6ec03f1d672f210
                                              • Instruction Fuzzy Hash: ADF0DA715416907EEA3357276C49E6B2E7DD7CAF51F00452AB944A21B0C6621891DBB0
                                              Function 002D686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1449 2d686a-2d6891 call 2d4ddd 1452 30e031-30e041 call 33955b 1449->1452 1453 2d6897-2d68a5 call 2d4ddd 1449->1453 1457 30e046-30e048 1452->1457 1453->1452 1458 2d68ab-2d68b1 1453->1458 1459 30e067-30e0af call 2f0db6 1457->1459 1460 30e04a-30e04d call 2d4e4a 1457->1460 1461 30e052-30e061 call 3342f8 1458->1461 1462 2d68b7-2d68d9 call 2d6a8c 1458->1462 1468 30e0b1-30e0bb 1459->1468 1469 30e0d4 1459->1469 1460->1461 1461->1459 1472 30e0cf-30e0d0 1468->1472 1473 30e0d6-30e0e9 1469->1473 1474 30e0d2 1472->1474 1475 30e0bd-30e0cc 1472->1475 1476 30e260-30e263 call 2f2d55 1473->1476 1477 30e0ef 1473->1477 1474->1473 1475->1472 1480 30e268-30e271 call 2d4e4a 1476->1480 1479 30e0f6-30e0f9 call 2d7480 1477->1479 1483 30e0fe-30e120 call 2d5db2 call 3373e9 1479->1483 1486 30e273-30e283 call 2d7616 call 2d5d9b 1480->1486 1493 30e122-30e12f 1483->1493 1494 30e134-30e13e call 3373d3 1483->1494 1502 30e288-30e2b8 call 32f7a1 call 2f0e2c call 2f2d55 call 2d4e4a 1486->1502 1495 30e227-30e237 call 2d750f 1493->1495 1500 30e140-30e153 1494->1500 1501 30e158-30e162 call 3373bd 1494->1501 1495->1483 1506 30e23d-30e247 call 2d735d 1495->1506 1500->1495 1512 30e164-30e171 1501->1512 1513 30e176-30e180 call 2d5e2a 1501->1513 1502->1486 1511 30e24c-30e25a 1506->1511 1511->1476 1511->1479 1512->1495 1513->1495 1519 30e186-30e19e call 32f73d 1513->1519 1524 30e1a0-30e1bf call 2d7de1 call 2d5904 1519->1524 1525 30e1c1-30e1c4 1519->1525 1548 30e1e2-30e1f0 call 2d5db2 1524->1548 1526 30e1f2-30e1f5 1525->1526 1527 30e1c6-30e1e1 call 2d7de1 call 2d6839 call 2d5904 1525->1527 1530 30e215-30e218 call 33737f 1526->1530 1531 30e1f7-30e200 call 32f65e 1526->1531 1527->1548 1538 30e21d-30e226 call 2f0e2c 1530->1538 1531->1502 1541 30e206-30e210 call 2f0e2c 1531->1541 1538->1495 1541->1483 1548->1538
                                              APIs
                                                • Part of subcall function 002D4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002D4E0F
                                              • _free.LIBCMT ref: 0030E263
                                              • _free.LIBCMT ref: 0030E2AA
                                                • Part of subcall function 002D6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 002D6BAD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _free$CurrentDirectoryLibraryLoad
                                              • String ID: /v-$>>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                              • API String ID: 2861923089-176250811
                                              • Opcode ID: 2c0a3468e38fee6e6f264dffcea96d6945cb6b79eadafe46d85496a2a03b70d4
                                              • Instruction ID: b58aeca5dec8be0346f28f1985bd51097c998f58645d15796588caeffacb5421
                                              • Opcode Fuzzy Hash: 2c0a3468e38fee6e6f264dffcea96d6945cb6b79eadafe46d85496a2a03b70d4
                                              • Instruction Fuzzy Hash: 9E916C71A11219AFCF05EFA4C8919EDB7B8FF19310B10486AF815AB2A1DB74AD15CF50
                                              Function 002D407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1553 2d407c-2d4092 1554 2d416f-2d4173 1553->1554 1555 2d4098-2d40ad call 2d7a16 1553->1555 1558 30d3c8-30d3d7 LoadStringW 1555->1558 1559 2d40b3-2d40d3 call 2d7bcc 1555->1559 1562 30d3e2-30d3fa call 2d7b2e call 2d6fe3 1558->1562 1559->1562 1563 2d40d9-2d40dd 1559->1563 1573 2d40ed-2d416a call 2f2de0 call 2d454e call 2f2dbc Shell_NotifyIconW call 2d5904 1562->1573 1574 30d400-30d41e call 2d7cab call 2d6fe3 call 2d7cab 1562->1574 1565 2d4174-2d417d call 2d8047 1563->1565 1566 2d40e3-2d40e8 call 2d7b2e 1563->1566 1565->1573 1566->1573 1573->1554 1574->1573
                                              APIs
                                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0030D3D7
                                                • Part of subcall function 002D7BCC: _memmove.LIBCMT ref: 002D7C06
                                              • _memset.LIBCMT ref: 002D40FC
                                              • _wcscpy.LIBCMT ref: 002D4150
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002D4160
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                              • String ID: Line:
                                              • API String ID: 3942752672-1585850449
                                              • Opcode ID: 5d51e7f167691d3d73c58cd867d68e8ff6726c22b3eb223d500343e7e19fbd4a
                                              • Instruction ID: bcac45457ed77f4e2a9e27008ade4044431777170b9043662d35791b1f96b8db
                                              • Opcode Fuzzy Hash: 5d51e7f167691d3d73c58cd867d68e8ff6726c22b3eb223d500343e7e19fbd4a
                                              • Instruction Fuzzy Hash: 9831C471028705AFD722EB60DC45FDB77DCAF54304F10491FF685922A1EB749A68CB82
                                              Function 002F541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                              • String ID:
                                              • API String ID: 1559183368-0
                                              • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                              • Instruction ID: df8b7ae6134d6181eb502bf5a51c4a78f9a659c33e8ecfc838551133f1cadfdd
                                              • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                              • Instruction Fuzzy Hash: 9D51B970A20B1EDBDB248E65D84067EF7A6AF413A1F548739FB25962D0D7709D708B40
                                              Function 014F9CD8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 151fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 014F9BC8: Sleep.KERNELBASE(000001F4), ref: 014F9BD9
                                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 014F9DFC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CreateFileSleep
                                              • String ID: HGTGCLUJO7RHMNCII5U1KFMWRH44
                                              • API String ID: 2694422964-2713195955
                                              • Opcode ID: 4443dc3a5a8f2b3b83d91a5658cee9bc3356c3c5be34f312dae10a0428f64b13
                                              • Instruction ID: cad0ece9d286968bc156a6160c8aece4eb7608ab39a25e28ddc6aad12ea988aa
                                              • Opcode Fuzzy Hash: 4443dc3a5a8f2b3b83d91a5658cee9bc3356c3c5be34f312dae10a0428f64b13
                                              • Instruction Fuzzy Hash: EB617F71D04289DAEF11DBA8C858BEEBBB49F15304F04419EE7487B3C1D6B90B49CB66
                                              Function 002D35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002D35A1,SwapMouseButtons,00000004,?), ref: 002D35D4
                                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002D35A1,SwapMouseButtons,00000004,?,?,?,?,002D2754), ref: 002D35F5
                                              • RegCloseKey.KERNELBASE(00000000,?,?,002D35A1,SwapMouseButtons,00000004,?,?,?,?,002D2754), ref: 002D3617
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: Control Panel\Mouse
                                              • API String ID: 3677997916-824357125
                                              • Opcode ID: 47e3f570eec3087d5c35c2c0b0948b516e655b4c17b0ca60f30381e894583669
                                              • Instruction ID: f677d31405c82d4684acb946d813edff1c7d2dc0ab58cdbe1b4ecdbefc68a0b7
                                              • Opcode Fuzzy Hash: 47e3f570eec3087d5c35c2c0b0948b516e655b4c17b0ca60f30381e894583669
                                              • Instruction Fuzzy Hash: 51113675920208BEDB21DF64DC40EAAB7ACEF04740F00846AA805D7210D271DE6097A5
                                              Function 0033955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D4EE5: _fseek.LIBCMT ref: 002D4EFD
                                                • Part of subcall function 00339734: _wcscmp.LIBCMT ref: 00339824
                                                • Part of subcall function 00339734: _wcscmp.LIBCMT ref: 00339837
                                              • _free.LIBCMT ref: 003396A2
                                              • _free.LIBCMT ref: 003396A9
                                              • _free.LIBCMT ref: 00339714
                                                • Part of subcall function 002F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,002F9A24), ref: 002F2D69
                                                • Part of subcall function 002F2D55: GetLastError.KERNEL32(00000000,?,002F9A24), ref: 002F2D7B
                                              • _free.LIBCMT ref: 0033971C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                              • String ID:
                                              • API String ID: 1552873950-0
                                              • Opcode ID: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                              • Instruction ID: d6733055a401cdd7e54f9e775d57e34af7d0ee0f59ca8182fc8bd0d699bc4348
                                              • Opcode Fuzzy Hash: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                              • Instruction Fuzzy Hash: A2513AB1D14218AFDF259F64CC81BAEBBB9EF48300F1004AEB209A7351DB715A908F58
                                              Function 002F470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                              • String ID:
                                              • API String ID: 2782032738-0
                                              • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                              • Instruction ID: 702e1bf7a510482c85bcff1b4ecc562a3122a01b355bc668e201533477f6937a
                                              • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                              • Instruction Fuzzy Hash: A241C574A2074E9BDB18BE69CC8097BFBA6AF453E4B14813DEA15C7640D7F0DD608B40
                                              Function 002D44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 002D44CF
                                                • Part of subcall function 002D407C: _memset.LIBCMT ref: 002D40FC
                                                • Part of subcall function 002D407C: _wcscpy.LIBCMT ref: 002D4150
                                                • Part of subcall function 002D407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 002D4160
                                              • KillTimer.USER32(?,00000001,?,?), ref: 002D4524
                                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 002D4533
                                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0030D4B9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                              • String ID:
                                              • API String ID: 1378193009-0
                                              • Opcode ID: 87197ca9620e80aa900925a9eaf141ae864c353402944572f9a8863e3cb088e5
                                              • Instruction ID: 79a771c1f8c8ee55aa2cc68ec07e0cb09ec42d2ded13864b8fc005f1e55449f7
                                              • Opcode Fuzzy Hash: 87197ca9620e80aa900925a9eaf141ae864c353402944572f9a8863e3cb088e5
                                              • Instruction Fuzzy Hash: C5210470905784AFE733DB649855BE7BBECAF15309F04009EE78E56281C7742E84CB41
                                              Function 002D4C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID: AU3!P/6$EA06
                                              • API String ID: 4104443479-2288769048
                                              • Opcode ID: 9b4d0bf888d66c8a6121af52e869fe5518eca6ecbc824a9db2d4072502e51c75
                                              • Instruction ID: b061f9e9afc22f172d5feb17b4568937202e4efb97cdf0ffbebdecc56a22f9c2
                                              • Opcode Fuzzy Hash: 9b4d0bf888d66c8a6121af52e869fe5518eca6ecbc824a9db2d4072502e51c75
                                              • Instruction Fuzzy Hash: 24416D21A3415C6BDF22BF54C8A17BE7FA3DB45300F288477EC829B382D6709D6487A1
                                              Function 002D7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0030EA39
                                              • 75D3D0D0.COMDLG32(?), ref: 0030EA83
                                                • Part of subcall function 002D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D4743,?,?,002D37AE,?), ref: 002D4770
                                                • Part of subcall function 002F0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002F07B0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: NamePath$FullLong_memset
                                              • String ID: X
                                              • API String ID: 3051022977-3081909835
                                              • Opcode ID: 83855a255c6dcddf4a2427615d127e620c1c56a792f6e9b9209a9578453dbbce
                                              • Instruction ID: 0a011fd38bf5429d8284118aa2ac1dbd980a1247aa050865c40b3cc311882a57
                                              • Opcode Fuzzy Hash: 83855a255c6dcddf4a2427615d127e620c1c56a792f6e9b9209a9578453dbbce
                                              • Instruction Fuzzy Hash: FD21D830A102489BDB12DF94CC45BEEBBFCAF49314F00405AE508A7381DBF45999CF91
                                              Function 00338D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __fread_nolock_memmove
                                              • String ID: EA06
                                              • API String ID: 1988441806-3962188686
                                              • Opcode ID: f84849c9bc3c4653e4836ec6b9d7969ef3442929c7881a6bda68ca5f622a8052
                                              • Instruction ID: d960f650190d7960b6f741fe6b8f6cc4303fdc065ccba6b867efa0e416bb058e
                                              • Opcode Fuzzy Hash: f84849c9bc3c4653e4836ec6b9d7969ef3442929c7881a6bda68ca5f622a8052
                                              • Instruction Fuzzy Hash: 6801F97180421C7EDB19CBA8CC56EFEBBFCDB15301F0041AAF652D2181E874E6148B60
                                              Function 002F0DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002F571C: __FF_MSGBANNER.LIBCMT ref: 002F5733
                                                • Part of subcall function 002F571C: __NMSG_WRITE.LIBCMT ref: 002F573A
                                                • Part of subcall function 002F571C: RtlAllocateHeap.NTDLL(01450000,00000000,00000001), ref: 002F575F
                                              • std::exception::exception.LIBCMT ref: 002F0DEC
                                              • __CxxThrowException@8.LIBCMT ref: 002F0E01
                                                • Part of subcall function 002F859B: RaiseException.KERNEL32(?,?,00000000,00389E78,?,00000001,?,?,?,002F0E06,00000000,00389E78,002D9E8C,00000001), ref: 002F85F0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                              • String ID: bad allocation
                                              • API String ID: 3902256705-2104205924
                                              • Opcode ID: a531a38f192947f6d01ed72c5fa1fed80c6f17049b9507c829186c5404c6f5c9
                                              • Instruction ID: ad5536601f559b85634ecd5e74f28a909551547b49ea11030b43cfc35b9c883e
                                              • Opcode Fuzzy Hash: a531a38f192947f6d01ed72c5fa1fed80c6f17049b9507c829186c5404c6f5c9
                                              • Instruction Fuzzy Hash: 39F0D13582021E66CB11BA94EC419FFFBA8DF013D0F104476FA1496182DFB09A608AD1
                                              Function 014F88E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(?,00000000), ref: 014F892D
                                              • ExitProcess.KERNEL32(00000000), ref: 014F894C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Process$CreateExit
                                              • String ID: D
                                              • API String ID: 126409537-2746444292
                                              • Opcode ID: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                                              • Instruction ID: f9277f49707d9c6bd04edca5309d2cc182973ed4d55824478915964a9330e09b
                                              • Opcode Fuzzy Hash: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                                              • Instruction Fuzzy Hash: 7CF0EC7254024DABDB60EFE0CC49FEE777CBF08701F408509FB1A9A284DA7496088B61
                                              Function 003398E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTempPathW.KERNEL32(00000104,?), ref: 003398F8
                                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0033990F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Temp$FileNamePath
                                              • String ID: aut
                                              • API String ID: 3285503233-3010740371
                                              • Opcode ID: 931bb4e7f92376416a745366f9b0675b0d61456e9130b2ae7af9ab6a3c5a7cfb
                                              • Instruction ID: aa4168158d0129db276cf0ee08be0ec64ccc76e27e2a6995e9d822aee983a712
                                              • Opcode Fuzzy Hash: 931bb4e7f92376416a745366f9b0675b0d61456e9130b2ae7af9ab6a3c5a7cfb
                                              • Instruction Fuzzy Hash: B2D05EB958030DAFDB51ABA0DC0EFEA773CE704701F4006B1BA54960A1EAB095988B91
                                              Function 0034CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: af84f985d47af27a06818fbeaeb3e375eb2a59c0b85cbb7029840db07d7a3927
                                              • Instruction ID: a4ecba869658eafd65780f77c8ff8698bf084511dcb691f22f6eb72fa01edfb7
                                              • Opcode Fuzzy Hash: af84f985d47af27a06818fbeaeb3e375eb2a59c0b85cbb7029840db07d7a3927
                                              • Instruction Fuzzy Hash: 30F13470A083409FCB55DF28C480A6ABBE5FF89314F15892EF8999B352D730E945CF82
                                              Function 002D434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 002D4370
                                              • Shell_NotifyIconW.SHELL32(00000000,?), ref: 002D4415
                                              • Shell_NotifyIconW.SHELL32(00000001,?), ref: 002D4432
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: IconNotifyShell_$_memset
                                              • String ID:
                                              • API String ID: 1505330794-0
                                              • Opcode ID: 935f625b1700930a7942dd7c3a01d11fb8f1e9106d19361d26c43fd79b8293d4
                                              • Instruction ID: f8dcf77da462f73b28248fba3a780bb4adea198fa5ca629180399d6f990b04d3
                                              • Opcode Fuzzy Hash: 935f625b1700930a7942dd7c3a01d11fb8f1e9106d19361d26c43fd79b8293d4
                                              • Instruction Fuzzy Hash: D03181B05147019FD762EF24D88469BBBF8FB48309F10096FE6DA82391D771A994CB52
                                              Function 002F571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __FF_MSGBANNER.LIBCMT ref: 002F5733
                                                • Part of subcall function 002FA16B: __NMSG_WRITE.LIBCMT ref: 002FA192
                                                • Part of subcall function 002FA16B: __NMSG_WRITE.LIBCMT ref: 002FA19C
                                              • __NMSG_WRITE.LIBCMT ref: 002F573A
                                                • Part of subcall function 002FA1C8: GetModuleFileNameW.KERNEL32(00000000,003933BA,00000104,00000000,00000001,00000000), ref: 002FA25A
                                                • Part of subcall function 002FA1C8: ___crtMessageBoxW.LIBCMT ref: 002FA308
                                                • Part of subcall function 002F309F: ___crtCorExitProcess.LIBCMT ref: 002F30A5
                                                • Part of subcall function 002F309F: ExitProcess.KERNEL32 ref: 002F30AE
                                                • Part of subcall function 002F8B28: __getptd_noexit.LIBCMT ref: 002F8B28
                                              • RtlAllocateHeap.NTDLL(01450000,00000000,00000001), ref: 002F575F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                              • String ID:
                                              • API String ID: 1372826849-0
                                              • Opcode ID: 6bef4c2ed59667fc7cef94139971d2b74a8b8d5b2ea77907cd85a075ce643a5a
                                              • Instruction ID: 65beaade5d88f7df3d3f096ce8f12b4e8246ce59c447182cd6a173123648291f
                                              • Opcode Fuzzy Hash: 6bef4c2ed59667fc7cef94139971d2b74a8b8d5b2ea77907cd85a075ce643a5a
                                              • Instruction Fuzzy Hash: 1201D675330B2ADAD6117B34EC52B7EE3488B413E2F110436F709D6291DEB098204A61
                                              Function 003398A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00339548,?,?,?,?,?,00000004), ref: 003398BB
                                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00339548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003398D1
                                              • CloseHandle.KERNEL32(00000000,?,00339548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003398D8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: File$CloseCreateHandleTime
                                              • String ID:
                                              • API String ID: 3397143404-0
                                              • Opcode ID: 143150f663c88dbd011fb01c7c4eaca37631fcf9067a0b4f4811c039a9370bd6
                                              • Instruction ID: 11c8a49fc316eef6d5262cd1b4304ed0bd9fba7e2b3fab3534d3c77965d61757
                                              • Opcode Fuzzy Hash: 143150f663c88dbd011fb01c7c4eaca37631fcf9067a0b4f4811c039a9370bd6
                                              • Instruction Fuzzy Hash: CDE08632141714FBE7232B54EC09FDA7B1DAF06761F114120FB14A90F087B116119798
                                              Function 00338D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00338D1B
                                                • Part of subcall function 002F2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,002F9A24), ref: 002F2D69
                                                • Part of subcall function 002F2D55: GetLastError.KERNEL32(00000000,?,002F9A24), ref: 002F2D7B
                                              • _free.LIBCMT ref: 00338D2C
                                              • _free.LIBCMT ref: 00338D3E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                              • Instruction ID: 6d3eb6fe72c4cf6695b10999b50994affeffef6e5d62531d6e5577f34afc05eb
                                              • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                              • Instruction Fuzzy Hash: 15E0C2A160170882CB21A678A881AA393DC4F48392B04082DB50DD7282CE60F8828424
                                              Function 002DA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: CALL
                                              • API String ID: 0-4196123274
                                              • Opcode ID: ebe792149cc0abb0b328c4edfc970d1ae5dc13bb8a44ed47b388971569b556cb
                                              • Instruction ID: 340fd31462a217b9fe92bc0c16b29fe734b3be8b830fea2de09628b14a7201e9
                                              • Opcode Fuzzy Hash: ebe792149cc0abb0b328c4edfc970d1ae5dc13bb8a44ed47b388971569b556cb
                                              • Instruction Fuzzy Hash: DF225870528241DFCB25DF14C491F6AB7E1BF88304F15896EE88A8B362D771EC95CB82
                                              Function 002D7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                              • Instruction ID: dc0d379e390fdc99c328d01b88a7ec031f6997bd8a32d9122c806d06c35ad8eb
                                              • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                              • Instruction Fuzzy Hash: 2831A4B5624606AFC704DF68C8D1E69F3A9FF48320715862AE519CB391EB74ED70CB90
                                              Function 002D47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • 74A3C8D0.UXTHEME ref: 002D4834
                                                • Part of subcall function 002F336C: __lock.LIBCMT ref: 002F3372
                                                • Part of subcall function 002F336C: RtlDecodePointer.NTDLL(00000001), ref: 002F337E
                                                • Part of subcall function 002F336C: RtlEncodePointer.NTDLL(?), ref: 002F3389
                                                • Part of subcall function 002D48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 002D4915
                                                • Part of subcall function 002D48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002D492A
                                                • Part of subcall function 002D3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002D3B68
                                                • Part of subcall function 002D3B3A: IsDebuggerPresent.KERNEL32 ref: 002D3B7A
                                                • Part of subcall function 002D3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,003952F8,003952E0,?,?), ref: 002D3BEB
                                                • Part of subcall function 002D3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 002D3C6F
                                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 002D4874
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                              • String ID:
                                              • API String ID: 2688871447-0
                                              • Opcode ID: b5dc2fbef8c30aed0b9603410ee748a4797dfb5dcd5e8a94c736b514798785bb
                                              • Instruction ID: ff289c3976ececa99ddb254451573bbbed7307f106851741bfb96a9030fd4624
                                              • Opcode Fuzzy Hash: b5dc2fbef8c30aed0b9603410ee748a4797dfb5dcd5e8a94c736b514798785bb
                                              • Instruction Fuzzy Hash: 36118C719193459FC702EF69EC0590ABBF8EB89790F10491BF081932B1DBB19994CF92
                                              Function 002F55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __lock_file_memset
                                              • String ID:
                                              • API String ID: 26237723-0
                                              • Opcode ID: ff51c0048e2f96a88fea88e71bb932d42701c3e4d3205ae6e70cd3a042b2714b
                                              • Instruction ID: 512c29f371116382c8ab1d7e8d6e1dc9b06707102a3691f950822afa317b7873
                                              • Opcode Fuzzy Hash: ff51c0048e2f96a88fea88e71bb932d42701c3e4d3205ae6e70cd3a042b2714b
                                              • Instruction Fuzzy Hash: 3101D871810A1DEBCF12AF648D064BEFB65AF513E1F404135F72496151DB718531DF51
                                              Function 002F53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002F8B28: __getptd_noexit.LIBCMT ref: 002F8B28
                                              • __lock_file.LIBCMT ref: 002F53EB
                                                • Part of subcall function 002F6C11: __lock.LIBCMT ref: 002F6C34
                                              • __fclose_nolock.LIBCMT ref: 002F53F6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                              • String ID:
                                              • API String ID: 2800547568-0
                                              • Opcode ID: 0e8dd5b62699ec775ea7c28dc8dd28b01503f09fc4a38a88f8406c329187ffa4
                                              • Instruction ID: b880c5a12ef70c9b7ef77b0c648444bdc91e11015195376b63adae3b81e8b2e8
                                              • Opcode Fuzzy Hash: 0e8dd5b62699ec775ea7c28dc8dd28b01503f09fc4a38a88f8406c329187ffa4
                                              • Instruction Fuzzy Hash: 0AF0F631820A2C9ADB116F7888057BDE6A06F413F4F208165E720AB1C1CBFC49115F52
                                              Function 014F8958 Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 014F81C8: GetFileAttributesW.KERNELBASE(?), ref: 014F81D3
                                              • CreateDirectoryW.KERNELBASE(?,00000000), ref: 014F8ACF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AttributesCreateDirectoryFile
                                              • String ID:
                                              • API String ID: 3401506121-0
                                              • Opcode ID: 4c93be7c1252f5412d1bb6f024e00948c26ba9e6321b3251623240df038f30ac
                                              • Instruction ID: 80a4532acfe954cc5a17abccff924f22cde36ab22f78d7a2610df879e23a1a75
                                              • Opcode Fuzzy Hash: 4c93be7c1252f5412d1bb6f024e00948c26ba9e6321b3251623240df038f30ac
                                              • Instruction Fuzzy Hash: 65615031A1020E96EF14EFA0D954BEF7379EF58300F0045ADA60DEB290EB799A45C7A5
                                              Function 002F0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction ID: 78c246ac0baf937f6696e17f3a89825cdbf0f63a442e29fac02b04e1d3be2502
                                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                              • Instruction Fuzzy Hash: AD31F7B4A1010A9BC718DF48C5C4979F7A6FB49340B2487A6E90ACB356D771EDE1DBC0
                                              Function 0030FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID:
                                              • API String ID: 1473721057-0
                                              • Opcode ID: 30f3975e4c220e18a12d600504396b31e7e8fadc73b96914fec7f05c67add2df
                                              • Instruction ID: 18bfe91c0f2fa59805b0f36d646a97a61632382c5848b9d317c54b39a5a42a91
                                              • Opcode Fuzzy Hash: 30f3975e4c220e18a12d600504396b31e7e8fadc73b96914fec7f05c67add2df
                                              • Instruction Fuzzy Hash: 2C4125745183418FDB25CF24C494B2ABBE1BF49318F0988ADE8998B762C731EC95CF42
                                              Function 002D7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: 156a44f7cd73639066c992e751baf70fcde6bae3b0072383fbb575e6f2fa81ee
                                              • Instruction ID: b12f988af7c6625d70969183086c6b67e8a0c06b2b2b8c026bc93c938d8b93e0
                                              • Opcode Fuzzy Hash: 156a44f7cd73639066c992e751baf70fcde6bae3b0072383fbb575e6f2fa81ee
                                              • Instruction Fuzzy Hash: C5213672624B09EBEB158F21E851779BBB8FB14350F24886FE446C51A0EB3195E0C701
                                              Function 002F06FE Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f6d96224edeb5e91c17e9486c562f46cbd1258159d5024382a3225e8820946d9
                                              • Instruction ID: 7249d63bd3b10390ace1ba7adcf4740d5e9a2c29c0818680561803c02ae2aaa9
                                              • Opcode Fuzzy Hash: f6d96224edeb5e91c17e9486c562f46cbd1258159d5024382a3225e8820946d9
                                              • Instruction Fuzzy Hash: 4C2129351083D5BFC7229B3498926F6FFE9AF83351F1484EEE8C486853D2614857DB91
                                              Function 002D4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 002D4BEF
                                                • Part of subcall function 002F525B: __wfsopen.LIBCMT ref: 002F5266
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002D4E0F
                                                • Part of subcall function 002D4B6A: FreeLibrary.KERNEL32(00000000), ref: 002D4BA4
                                                • Part of subcall function 002D4C70: _memmove.LIBCMT ref: 002D4CBA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Library$Free$Load__wfsopen_memmove
                                              • String ID:
                                              • API String ID: 1396898556-0
                                              • Opcode ID: 68aa9f28b4c897f69e414f8bf21c3d83aaf97b4c4c139d038b58b20d19d0d39b
                                              • Instruction ID: 84de2393eebcaf81bf4291f71409b2df38a08e042d01d91035552eda4b408620
                                              • Opcode Fuzzy Hash: 68aa9f28b4c897f69e414f8bf21c3d83aaf97b4c4c139d038b58b20d19d0d39b
                                              • Instruction Fuzzy Hash: E911E731620205BBCF11BFB0C812FAD77A8AF44710F10882BF545AB281DAB1DE209F51
                                              Function 0030FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID:
                                              • API String ID: 1473721057-0
                                              • Opcode ID: 87c9da931ec21bfc46eedd04a560e867133a388fc980d11cc95fd75a71b99c15
                                              • Instruction ID: 90b31863953b8475c7dea6dbe97f9742d6cc887c87877e16e86bea37af1c7700
                                              • Opcode Fuzzy Hash: 87c9da931ec21bfc46eedd04a560e867133a388fc980d11cc95fd75a71b99c15
                                              • Instruction Fuzzy Hash: A72122B4928341DFCB25DF24C444A2ABBE1BF88314F058969F98A47722C731E864CF92
                                              Function 002F4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                              Download Yara Rule
                                              APIs
                                              • __lock_file.LIBCMT ref: 002F48A6
                                                • Part of subcall function 002F8B28: __getptd_noexit.LIBCMT ref: 002F8B28
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __getptd_noexit__lock_file
                                              • String ID:
                                              • API String ID: 2597487223-0
                                              • Opcode ID: ad8be7d6761eb06cdb38521abc61220c514a71a46db4754ff9e845943f6ee513
                                              • Instruction ID: 06594869b11aa6ad4bbd1043eefd38810bad9b941d1e0ff3e90e6d7e1531bfd6
                                              • Opcode Fuzzy Hash: ad8be7d6761eb06cdb38521abc61220c514a71a46db4754ff9e845943f6ee513
                                              • Instruction Fuzzy Hash: 7EF0A93192020DAAEB11BFA48C0A3BFF6A0AF007A5F048424A6209A181CBB889609F41
                                              Function 002D4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(?,?,003952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002D4E7E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: FreeLibrary
                                              • String ID:
                                              • API String ID: 3664257935-0
                                              • Opcode ID: c9cf0bcf800b34cc6639da8370114c5e442daaba98dc0056390e8f01bfef85e3
                                              • Instruction ID: ed417bb5c94f953b466565be6c72fdf144ba2a4b600377d4ee7a678b7e374eb0
                                              • Opcode Fuzzy Hash: c9cf0bcf800b34cc6639da8370114c5e442daaba98dc0056390e8f01bfef85e3
                                              • Instruction Fuzzy Hash: 79F01571521B12EFCB34AF64E494822BBE5BF143693208A7EE2D682721C7729C60DF40
                                              Function 002F0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002F07B0
                                                • Part of subcall function 002D7BCC: _memmove.LIBCMT ref: 002D7C06
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: LongNamePath_memmove
                                              • String ID:
                                              • API String ID: 2514874351-0
                                              • Opcode ID: fcc32fb2f6f1c4df7dd952b80f406b6116220865b75c75b1743e3debeaff7cd0
                                              • Instruction ID: 7ef26bc9a84c274fd970ef01e170f04ab0b02ba55259ee1a77e12b183d42449e
                                              • Opcode Fuzzy Hash: fcc32fb2f6f1c4df7dd952b80f406b6116220865b75c75b1743e3debeaff7cd0
                                              • Instruction Fuzzy Hash: 74E086769052285BC721A6689C05FEA77DDDB887A1F0441B6FD0CD7254D9649C9086D0
                                              Function 00338E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __fread_nolock
                                              • String ID:
                                              • API String ID: 2638373210-0
                                              • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                              • Instruction ID: 51daaac48bce44d64009e9ce897e8ceffebdaf6ee1563457db618fe727cf94a4
                                              • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                              • Instruction Fuzzy Hash: 54E092B0104B045FD7398B24D840BA373E1AB05305F00081DF2AA83241EB6278458B59
                                              Function 014F81C8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?), ref: 014F81D3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                              • Instruction ID: 1dc1034d0a725a61ab8b04410d8b3483ea8d2d7f214a2daef21fe252a48ce39c
                                              • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                              • Instruction Fuzzy Hash: 5CE0C23090520DEBDB50CBBCCE04AAE77A8FB05320F00475EEA06CB3D1D5309A10D758
                                              Function 014F8198 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(?), ref: 014F81A3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                              • Instruction ID: 25bc943cf26d29df10495f226ac2b87d65af89d142f12ca2dc7f7d9c05d8db5d
                                              • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                              • Instruction Fuzzy Hash: 1BD0A73090520DEBCB10CFB89E049DE77A8D705360F004759FE15C7380D53199109790
                                              Function 002F525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __wfsopen
                                              • String ID:
                                              • API String ID: 197181222-0
                                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                              • Instruction ID: 6d0693c234cf368f637d65ebd5f718457fc7dec3a0806dd9a7eaed486f221c51
                                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                              • Instruction Fuzzy Hash: 26B0927644020C77CE012A82FC02A597F199B417A4F408020FF0C18162A673A6749A89
                                              Function 014F9BC8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(000001F4), ref: 014F9BD9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                              • Instruction ID: af581b5cbd8ec19a28b3968c31dbce20099134116da6259f1eb124128cedb79c
                                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                              • Instruction Fuzzy Hash: D0E0E67494010EDFDB00DFF4D64D6AD7BB4FF04301F100165FD01D2280DA309D508A62

                                              Non-executed Functions

                                              Function 0035CABC Relevance: 70.6, APIs: 37, Strings: 3, Instructions: 632windowkeyboardnativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0035CB37
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0035CB95
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0035CBD6
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0035CC00
                                              • SendMessageW.USER32 ref: 0035CC29
                                              • _wcsncpy.LIBCMT ref: 0035CC95
                                              • GetKeyState.USER32(00000011), ref: 0035CCB6
                                              • GetKeyState.USER32(00000009), ref: 0035CCC3
                                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0035CCD9
                                              • GetKeyState.USER32(00000010), ref: 0035CCE3
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0035CD0C
                                              • SendMessageW.USER32 ref: 0035CD33
                                              • SendMessageW.USER32(?,00001030,?,0035B348), ref: 0035CE37
                                              • SetCapture.USER32(?), ref: 0035CE69
                                              • ClientToScreen.USER32(?,?), ref: 0035CECE
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0035CEF5
                                              • ReleaseCapture.USER32 ref: 0035CF00
                                              • GetCursorPos.USER32(?), ref: 0035CF3A
                                              • ScreenToClient.USER32(?,?), ref: 0035CF47
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0035CFA3
                                              • SendMessageW.USER32 ref: 0035CFD1
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0035D00E
                                              • SendMessageW.USER32 ref: 0035D03D
                                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0035D05E
                                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0035D06D
                                              • GetCursorPos.USER32(?), ref: 0035D08D
                                              • ScreenToClient.USER32(?,?), ref: 0035D09A
                                              • GetParent.USER32(?), ref: 0035D0BA
                                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0035D123
                                              • SendMessageW.USER32 ref: 0035D154
                                              • ClientToScreen.USER32(?,?), ref: 0035D1B2
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0035D1E2
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0035D20C
                                              • SendMessageW.USER32 ref: 0035D22F
                                              • ClientToScreen.USER32(?,?), ref: 0035D281
                                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0035D2B5
                                                • Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0035D351
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                              • String ID: @GUI_DRAGID$F$pb9
                                              • API String ID: 302779176-1567519681
                                              • Opcode ID: 4d5aa7faf232ddab51c9a81de2230d3c859db38ad417d780ba5edcf770f0b08d
                                              • Instruction ID: 31c8131ece7eb60170520729c209abbad13affe00b7efc742d3172931a0c3c3b
                                              • Opcode Fuzzy Hash: 4d5aa7faf232ddab51c9a81de2230d3c859db38ad417d780ba5edcf770f0b08d
                                              • Instruction Fuzzy Hash: 6E42CD74214341AFDB22CF24C885EAABBE9FF49316F140919F995C72B0C732D958DB92
                                              Function 002E6F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memmove$_memset
                                              • String ID: ]8$3c.$DEFINE$P\8$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_.
                                              • API String ID: 1357608183-4058536193
                                              • Opcode ID: 47aa457b7fa23f1ac3e0f11f458af322588444de6b1229fc359cf23421aad77e
                                              • Instruction ID: 3891e4cc72687b69c136988400036141d87d578002dab1be0767d7eea9b16121
                                              • Opcode Fuzzy Hash: 47aa457b7fa23f1ac3e0f11f458af322588444de6b1229fc359cf23421aad77e
                                              • Instruction Fuzzy Hash: 1793D431E50229DFDB25CF58D881BADB7B1FF48310F65816AE949AB381E7749E81CB40
                                              Function 002D48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(00000000,?), ref: 002D48DF
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0030D665
                                              • IsIconic.USER32(?), ref: 0030D66E
                                              • ShowWindow.USER32(?,00000009), ref: 0030D67B
                                              • SetForegroundWindow.USER32(?), ref: 0030D685
                                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0030D69B
                                              • GetCurrentThreadId.KERNEL32 ref: 0030D6A2
                                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 0030D6AE
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0030D6BF
                                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 0030D6C7
                                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 0030D6CF
                                              • SetForegroundWindow.USER32(?), ref: 0030D6D2
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0030D6E7
                                              • keybd_event.USER32(00000012,00000000), ref: 0030D6F2
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0030D6FC
                                              • keybd_event.USER32(00000012,00000000), ref: 0030D701
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0030D70A
                                              • keybd_event.USER32(00000012,00000000), ref: 0030D70F
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 0030D719
                                              • keybd_event.USER32(00000012,00000000), ref: 0030D71E
                                              • SetForegroundWindow.USER32(?), ref: 0030D721
                                              • AttachThreadInput.USER32(?,?,00000000), ref: 0030D748
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 4125248594-2988720461
                                              • Opcode ID: 69d0214c510f541be04cabea3243e28361c5bec5e40d5205e2108340c2809a50
                                              • Instruction ID: 8b03749e9b06328e7ad1a143f5ac9952ce708812f609e6d9dcaa9f1fa2919b1c
                                              • Opcode Fuzzy Hash: 69d0214c510f541be04cabea3243e28361c5bec5e40d5205e2108340c2809a50
                                              • Instruction Fuzzy Hash: 3A317271A41318BFEB226FA19C49F7F7EACEB44B51F114025FA04EB1E1D6B05D01ABA1
                                              Function 00328310 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 224COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 003287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032882B
                                                • Part of subcall function 003287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00328858
                                                • Part of subcall function 003287E1: GetLastError.KERNEL32 ref: 00328865
                                              • _memset.LIBCMT ref: 00328353
                                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003283A5
                                              • CloseHandle.KERNEL32(?), ref: 003283B6
                                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003283CD
                                              • GetProcessWindowStation.USER32 ref: 003283E6
                                              • SetProcessWindowStation.USER32(00000000), ref: 003283F0
                                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0032840A
                                                • Part of subcall function 003281CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00328309), ref: 003281E0
                                                • Part of subcall function 003281CB: CloseHandle.KERNEL32(?,?,00328309), ref: 003281F2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                              • String ID: $default$winsta0
                                              • API String ID: 2063423040-1027155976
                                              • Opcode ID: 95ef0ba43b257a0d996c7a5a29f538c2f4ecf7ea3c62873859fd46ebbca23a68
                                              • Instruction ID: 679633ce80d10d968b37cab9fe7da8bc0dd1cb743095ba6a5d6fae44608b92b6
                                              • Opcode Fuzzy Hash: 95ef0ba43b257a0d996c7a5a29f538c2f4ecf7ea3c62873859fd46ebbca23a68
                                              • Instruction Fuzzy Hash: 85818C71902219AFDF12DFA4EC45AFEBBB9FF09344F244169F910A6261DB318E14DB60
                                              Function 0033C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 0033C78D
                                              • FindClose.KERNEL32(00000000), ref: 0033C7E1
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0033C806
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0033C81D
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0033C844
                                              • __swprintf.LIBCMT ref: 0033C890
                                              • __swprintf.LIBCMT ref: 0033C8D3
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                              • __swprintf.LIBCMT ref: 0033C927
                                                • Part of subcall function 002F3698: __woutput_l.LIBCMT ref: 002F36F1
                                              • __swprintf.LIBCMT ref: 0033C975
                                                • Part of subcall function 002F3698: __flsbuf.LIBCMT ref: 002F3713
                                                • Part of subcall function 002F3698: __flsbuf.LIBCMT ref: 002F372B
                                              • __swprintf.LIBCMT ref: 0033C9C4
                                              • __swprintf.LIBCMT ref: 0033CA13
                                              • __swprintf.LIBCMT ref: 0033CA62
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                              • API String ID: 3953360268-2428617273
                                              • Opcode ID: aa0240706396129d4cd5eee93daceaf2f112ff7cb70393cba917f1e9556ddad5
                                              • Instruction ID: 6c06f445665d02b803fc6167a12604b8293ad412661541f9f43adbcf4fd18b5d
                                              • Opcode Fuzzy Hash: aa0240706396129d4cd5eee93daceaf2f112ff7cb70393cba917f1e9556ddad5
                                              • Instruction Fuzzy Hash: 9FA12CB2418344ABC705EFA4C895DAFB7ECAF94704F40092AF595C6291EB34DE58CB62
                                              Function 0033EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0033EFB6
                                              • _wcscmp.LIBCMT ref: 0033EFCB
                                              • _wcscmp.LIBCMT ref: 0033EFE2
                                              • GetFileAttributesW.KERNEL32(?), ref: 0033EFF4
                                              • SetFileAttributesW.KERNEL32(?,?), ref: 0033F00E
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0033F026
                                              • FindClose.KERNEL32(00000000), ref: 0033F031
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0033F04D
                                              • _wcscmp.LIBCMT ref: 0033F074
                                              • _wcscmp.LIBCMT ref: 0033F08B
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0033F09D
                                              • SetCurrentDirectoryW.KERNEL32(00388920), ref: 0033F0BB
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0033F0C5
                                              • FindClose.KERNEL32(00000000), ref: 0033F0D2
                                              • FindClose.KERNEL32(00000000), ref: 0033F0E4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                              • String ID: *.*
                                              • API String ID: 1803514871-438819550
                                              • Opcode ID: 8c0aca4fb2e8dcf3ae255432d90875b392b1674efe8b20c83258a7eb09a99f9b
                                              • Instruction ID: 6dc4b02e9ede81f2040c2e302efc1d85793c8e23f54df08e0629e3f895a366ed
                                              • Opcode Fuzzy Hash: 8c0aca4fb2e8dcf3ae255432d90875b392b1674efe8b20c83258a7eb09a99f9b
                                              • Instruction Fuzzy Hash: EA31E5769002086FDB1AEBB8DC88AEE77AC9F48361F5101B6F914E30A1DB70DA44CB51
                                              Function 00350857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00350953
                                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0035F910,00000000,?,00000000,?,?), ref: 003509C1
                                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00350A09
                                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00350A92
                                              • RegCloseKey.ADVAPI32(?), ref: 00350DB2
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00350DBF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Close$ConnectCreateRegistryValue
                                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                              • API String ID: 536824911-966354055
                                              • Opcode ID: 43ba01f9b23588afac13ce5b54564b82888653a034ce53e431af141365421f5c
                                              • Instruction ID: dd6a953c6b9b1658b518711adcd20b5bd739568c6804a70150afe27b1a1e46e2
                                              • Opcode Fuzzy Hash: 43ba01f9b23588afac13ce5b54564b82888653a034ce53e431af141365421f5c
                                              • Instruction Fuzzy Hash: 0B0246756106419FCB15EF28C881E2AB7E5FF89710F058859F88A9B3A2DB31EC55CF81
                                              Function 0035C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfilenativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • DragQueryPoint.SHELL32(?,?), ref: 0035C627
                                                • Part of subcall function 0035AB37: ClientToScreen.USER32(?,?), ref: 0035AB60
                                                • Part of subcall function 0035AB37: GetWindowRect.USER32(?,?), ref: 0035ABD6
                                                • Part of subcall function 0035AB37: PtInRect.USER32(?,?,0035C014), ref: 0035ABE6
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0035C690
                                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0035C69B
                                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0035C6BE
                                              • _wcscat.LIBCMT ref: 0035C6EE
                                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0035C705
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0035C71E
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0035C735
                                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0035C757
                                              • DragFinish.SHELL32(?), ref: 0035C75E
                                              • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 0035C851
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb9
                                              • API String ID: 2166380349-3324959249
                                              • Opcode ID: 4942b1223c0ba29ec1ebb7efd746b47c6015920c4f7fa29d88641b6c7b214aaa
                                              • Instruction ID: 66c209b123f4e1bfda9decaa066591d05dbd254fc40cb3de3d6b589a9e2bc5f3
                                              • Opcode Fuzzy Hash: 4942b1223c0ba29ec1ebb7efd746b47c6015920c4f7fa29d88641b6c7b214aaa
                                              • Instruction Fuzzy Hash: 66616B71118301AFC702EF64CC85DABBBF8EF89754F00092EF595962B1DB70AA49CB52
                                              Function 0033F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 0033F113
                                              • _wcscmp.LIBCMT ref: 0033F128
                                              • _wcscmp.LIBCMT ref: 0033F13F
                                                • Part of subcall function 00334385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003343A0
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 0033F16E
                                              • FindClose.KERNEL32(00000000), ref: 0033F179
                                              • FindFirstFileW.KERNEL32(*.*,?), ref: 0033F195
                                              • _wcscmp.LIBCMT ref: 0033F1BC
                                              • _wcscmp.LIBCMT ref: 0033F1D3
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0033F1E5
                                              • SetCurrentDirectoryW.KERNEL32(00388920), ref: 0033F203
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0033F20D
                                              • FindClose.KERNEL32(00000000), ref: 0033F21A
                                              • FindClose.KERNEL32(00000000), ref: 0033F22C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                              • String ID: *.*
                                              • API String ID: 1824444939-438819550
                                              • Opcode ID: fcf0d99353888f219a3b4575aade99485a558cae3ee2569a039a93f397a42999
                                              • Instruction ID: 4b8ff5e412191abdae2da0347c84f2cf018b6d1fe4e8e4e22c9f8757daf2a62a
                                              • Opcode Fuzzy Hash: fcf0d99353888f219a3b4575aade99485a558cae3ee2569a039a93f397a42999
                                              • Instruction Fuzzy Hash: E431D57A90021DBEDB12EB64EC99EEF77AC9F49361F5105B1E910E20A0DB30DE45CA54
                                              Function 0033A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0033A20F
                                              • __swprintf.LIBCMT ref: 0033A231
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 0033A26E
                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0033A293
                                              • _memset.LIBCMT ref: 0033A2B2
                                              • _wcsncpy.LIBCMT ref: 0033A2EE
                                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0033A323
                                              • CloseHandle.KERNEL32(00000000), ref: 0033A32E
                                              • RemoveDirectoryW.KERNEL32(?), ref: 0033A337
                                              • CloseHandle.KERNEL32(00000000), ref: 0033A341
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                              • String ID: :$\$\??\%s
                                              • API String ID: 2733774712-3457252023
                                              • Opcode ID: 0da1bae1a3f2f93300a7e14a7c7e8d68577d85164a7168dc24673081b97b6bf7
                                              • Instruction ID: c459388c65070702cd8c6f60b0d39681cbce5d522dc70dbb7417fe4983b84c43
                                              • Opcode Fuzzy Hash: 0da1bae1a3f2f93300a7e14a7c7e8d68577d85164a7168dc24673081b97b6bf7
                                              • Instruction Fuzzy Hash: 1E31C6B5500209ABDB22DFA0DC89FFB77BCEF89751F1041B6F608D6160EB7096448B65
                                              Function 0035C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0035C1FC
                                              • GetFocus.USER32 ref: 0035C20C
                                              • GetDlgCtrlID.USER32(00000000), ref: 0035C217
                                              • _memset.LIBCMT ref: 0035C342
                                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0035C36D
                                              • GetMenuItemCount.USER32(?), ref: 0035C38D
                                              • GetMenuItemID.USER32(?,00000000), ref: 0035C3A0
                                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0035C3D4
                                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0035C41C
                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0035C454
                                              • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 0035C489
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                              • String ID: 0
                                              • API String ID: 3616455698-4108050209
                                              • Opcode ID: c2478ca51dc1bd3f80919e657482405e3e1ea105a9fea11d674df5c86f7f90b8
                                              • Instruction ID: 2fc23d98d856c7fd610c53408de3f5158c211f238092d28a6d1378d7b860c08a
                                              • Opcode Fuzzy Hash: c2478ca51dc1bd3f80919e657482405e3e1ea105a9fea11d674df5c86f7f90b8
                                              • Instruction Fuzzy Hash: 01819CB42183059FDB12CF15C884E6BBBE8FB88719F01592EFD85972A1D770D948CB92
                                              Function 002E66E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: 3c.$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_.
                                              • API String ID: 0-1974457178
                                              • Opcode ID: 063eacb7b4d906d9bf29a5c33d8fd16d6e597c5fa2fdabbc99d91ae94c5f20b5
                                              • Instruction ID: a61d38a7ac6b79e4df4142e342a3139d5237335f32b9766dc7cb550fc47094a7
                                              • Opcode Fuzzy Hash: 063eacb7b4d906d9bf29a5c33d8fd16d6e597c5fa2fdabbc99d91ae94c5f20b5
                                              • Instruction Fuzzy Hash: 7572B175E10229CBDB25CF59D8447AEB7B5FF58310F6481AAE909EB280D7709E81CF90
                                              Function 0033001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?), ref: 00330097
                                              • SetKeyboardState.USER32(?), ref: 00330102
                                              • GetAsyncKeyState.USER32(000000A0), ref: 00330122
                                              • GetKeyState.USER32(000000A0), ref: 00330139
                                              • GetAsyncKeyState.USER32(000000A1), ref: 00330168
                                              • GetKeyState.USER32(000000A1), ref: 00330179
                                              • GetAsyncKeyState.USER32(00000011), ref: 003301A5
                                              • GetKeyState.USER32(00000011), ref: 003301B3
                                              • GetAsyncKeyState.USER32(00000012), ref: 003301DC
                                              • GetKeyState.USER32(00000012), ref: 003301EA
                                              • GetAsyncKeyState.USER32(0000005B), ref: 00330213
                                              • GetKeyState.USER32(0000005B), ref: 00330221
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: State$Async$Keyboard
                                              • String ID:
                                              • API String ID: 541375521-0
                                              • Opcode ID: dbea5514fb619c6d0a0d0328fd826d625a34d1e4cf98df029be6b09c6e3da6c7
                                              • Instruction ID: db48127a5ade81c958e8dfaecd798e39994fc5abcaa32646df88578aeea7dd0d
                                              • Opcode Fuzzy Hash: dbea5514fb619c6d0a0d0328fd826d625a34d1e4cf98df029be6b09c6e3da6c7
                                              • Instruction Fuzzy Hash: CD51CC2490478819FB3FDBB488A47AABFB49F01380F094599D9C15A5C2DAA49B8CC761
                                              Function 003503DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00350E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0034FDAD,?,?), ref: 00350E31
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003504AC
                                                • Part of subcall function 002D9837: __itow.LIBCMT ref: 002D9862
                                                • Part of subcall function 002D9837: __swprintf.LIBCMT ref: 002D98AC
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0035054B
                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003505E3
                                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00350822
                                              • RegCloseKey.ADVAPI32(00000000), ref: 0035082F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                              • String ID:
                                              • API String ID: 1240663315-0
                                              • Opcode ID: 8685c6ea627459d18677b3d247705fc83800885b7bdd21ba885a5022cb198e77
                                              • Instruction ID: 29a5cdc489c1ab5bcd410fb23b27245506ccf22c1ccb6f8bf510e79519cdc49c
                                              • Opcode Fuzzy Hash: 8685c6ea627459d18677b3d247705fc83800885b7bdd21ba885a5022cb198e77
                                              • Instruction Fuzzy Hash: 8EE16E71604210AFCB15DF28C891D2ABBE8EF89714F04896DF84ADB2A1DB31ED15CF91
                                              Function 003483BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D9837: __itow.LIBCMT ref: 002D9862
                                                • Part of subcall function 002D9837: __swprintf.LIBCMT ref: 002D98AC
                                              • CoInitialize.OLE32 ref: 00348403
                                              • CoUninitialize.COMBASE ref: 0034840E
                                              • CoCreateInstance.COMBASE(?,00000000,00000017,00362BEC,?), ref: 0034846E
                                              • IIDFromString.COMBASE(?,?), ref: 003484E1
                                              • VariantInit.OLEAUT32(?), ref: 0034857B
                                              • VariantClear.OLEAUT32(?), ref: 003485DC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                              • API String ID: 834269672-1287834457
                                              • Opcode ID: 5d6543e4a7360c092d31efe3220aa51f5ec40b48251370ffb4010d6b4b77beea
                                              • Instruction ID: 25ecae973f259bc235098c4c90f4272f60d32332346f7dbb92e88a9fa4f3441b
                                              • Opcode Fuzzy Hash: 5d6543e4a7360c092d31efe3220aa51f5ec40b48251370ffb4010d6b4b77beea
                                              • Instruction Fuzzy Hash: 48618B706083129FC712DF15D848B6EB7E8AF4A754F00485AF9859B3A1CB70FD48CB92
                                              Function 00344164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                              • String ID:
                                              • API String ID: 1737998785-0
                                              • Opcode ID: 282388c8aaa4dc8041384f5e4a529da5141b0252f094abb3d52456861a500add
                                              • Instruction ID: 51bc1fd226bdbd55e0d5d06b7d7899347d1fdad76e886d2f885138feed6f5b13
                                              • Opcode Fuzzy Hash: 282388c8aaa4dc8041384f5e4a529da5141b0252f094abb3d52456861a500add
                                              • Instruction Fuzzy Hash: D9217A752012109FDB12AF64EC09B6A7BACEF05752F11842AF946DB2B1DB70AC40CB94
                                              Function 003337EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D4743,?,?,002D37AE,?), ref: 002D4770
                                                • Part of subcall function 00334A31: GetFileAttributesW.KERNEL32(?,0033370B), ref: 00334A32
                                              • FindFirstFileW.KERNEL32(?,?), ref: 003338A3
                                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0033394B
                                              • MoveFileW.KERNEL32(?,?), ref: 0033395E
                                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0033397B
                                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 0033399D
                                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 003339B9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                              • String ID: \*.*
                                              • API String ID: 4002782344-1173974218
                                              • Opcode ID: dd5408d9b88724cefd16916586c43f21d0222b62fc19d398b119472f3805cc4c
                                              • Instruction ID: e215aeefafad91fcf9b4a4be319db7b0e153274424121baeab7d1fffc32776f2
                                              • Opcode Fuzzy Hash: dd5408d9b88724cefd16916586c43f21d0222b62fc19d398b119472f3805cc4c
                                              • Instruction Fuzzy Hash: 5351733180514C9ACF06FBA4D992AEDB779AF14301F6041AAE40677291EF756F09CF91
                                              Function 0033F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0033F440
                                              • Sleep.KERNEL32(0000000A), ref: 0033F470
                                              • _wcscmp.LIBCMT ref: 0033F484
                                              • _wcscmp.LIBCMT ref: 0033F49F
                                              • FindNextFileW.KERNEL32(?,?), ref: 0033F53D
                                              • FindClose.KERNEL32(00000000), ref: 0033F553
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                              • String ID: *.*
                                              • API String ID: 713712311-438819550
                                              • Opcode ID: e56c7beddbb06c7870c18b4d4670b0e97750bcf1f4a55a8fc56bfa08d5a920d2
                                              • Instruction ID: 6b58acbdd8b927f03b4efb085b2428d91f950026d83575599ffd8e96bbba31ae
                                              • Opcode Fuzzy Hash: e56c7beddbb06c7870c18b4d4670b0e97750bcf1f4a55a8fc56bfa08d5a920d2
                                              • Instruction Fuzzy Hash: 3E416C71D042199FDF12EF64CC85AEEBBB8FF05310F544466E815A22A1EB309E94CF50
                                              Function 0035D43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • GetSystemMetrics.USER32(0000000F), ref: 0035D47C
                                              • GetSystemMetrics.USER32(0000000F), ref: 0035D49C
                                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0035D6D7
                                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0035D6F5
                                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0035D716
                                              • ShowWindow.USER32(00000003,00000000), ref: 0035D735
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0035D75A
                                              • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 0035D77D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                              • String ID:
                                              • API String ID: 830902736-0
                                              • Opcode ID: 711d9170593c882a137a6538426ff3d554e3a0fb3e1927daac9f214e1ee6b507
                                              • Instruction ID: 396d8b19d073c74aea9fa0d0a3f54d09baaed4511b90c856df0074335fc12dfe
                                              • Opcode Fuzzy Hash: 711d9170593c882a137a6538426ff3d554e3a0fb3e1927daac9f214e1ee6b507
                                              • Instruction Fuzzy Hash: A8B18B71600215EFDF26CF69C985BAD7BB5FF08702F098069EC489F2A5D734A958CB90
                                              Function 002E3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __itow__swprintf
                                              • String ID: 3c.$_.
                                              • API String ID: 674341424-1871209941
                                              • Opcode ID: 80aa1c6da40339263d433a66c8b3fe944e2057f7c5fd7f0322a7d3470ad52aec
                                              • Instruction ID: 64746b423b3645b78c0042665366e0114de1a2680a1da022d568a1fb724a1d82
                                              • Opcode Fuzzy Hash: 80aa1c6da40339263d433a66c8b3fe944e2057f7c5fd7f0322a7d3470ad52aec
                                              • Instruction Fuzzy Hash: 8722A9716283419FC725DF24C881BAEB7E4AF88710F40492DF99A9B291DB70ED54CF92
                                              Function 002E5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID:
                                              • API String ID: 4104443479-0
                                              • Opcode ID: 0896e90ef2f53b9a02d589d677eaca912af56f544ac391a6f34f7eb9078f2768
                                              • Instruction ID: bbe42382b3cb2e2cf38a36c4a473a354f18466f6b597e1e606ce6322ffa39087
                                              • Opcode Fuzzy Hash: 0896e90ef2f53b9a02d589d677eaca912af56f544ac391a6f34f7eb9078f2768
                                              • Instruction Fuzzy Hash: E8129A70A20619DFCF08DFA5D981AEEB7F5FF48304F60456AE406A7252EB35AD24CB50
                                              Function 003351BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 003287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032882B
                                                • Part of subcall function 003287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00328858
                                                • Part of subcall function 003287E1: GetLastError.KERNEL32 ref: 00328865
                                              • ExitWindowsEx.USER32(?,00000000), ref: 003351F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                              • String ID: $@$SeShutdownPrivilege
                                              • API String ID: 2234035333-194228
                                              • Opcode ID: e2235f6fe3a1856076abf04b774a1f0ee948dfdaadd2db220e490560ecf5e8e1
                                              • Instruction ID: f254ed9b47d73018ad4413c2fb77d541ee4eefa07dc2dad48904ff4ec7f6e697
                                              • Opcode Fuzzy Hash: e2235f6fe3a1856076abf04b774a1f0ee948dfdaadd2db220e490560ecf5e8e1
                                              • Instruction Fuzzy Hash: E501F2326916156BF72B6368ACCAFBB726CAB05341F250C20F903E60E2DA515C008690
                                              Function 00346283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WS2_32(00000002,00000001,00000006), ref: 003462DC
                                              • WSAGetLastError.WS2_32(00000000), ref: 003462EB
                                              • bind.WS2_32(00000000,?,00000010), ref: 00346307
                                              • listen.WS2_32(00000000,00000005), ref: 00346316
                                              • WSAGetLastError.WS2_32(00000000), ref: 00346330
                                              • closesocket.WS2_32(00000000), ref: 00346344
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ErrorLast$bindclosesocketlistensocket
                                              • String ID:
                                              • API String ID: 1279440585-0
                                              • Opcode ID: c662477a32a93195730453c548bb0cde8341eb7c9cd747f316db2999efbbe718
                                              • Instruction ID: 960a698c2acdafa176bddbf20dfc41cd66d9dfcfc21cb8d66633642d2f487663
                                              • Opcode Fuzzy Hash: c662477a32a93195730453c548bb0cde8341eb7c9cd747f316db2999efbbe718
                                              • Instruction Fuzzy Hash: 78219E356002049FCB11EF64C846A6EB7EDEF4A721F15415AF856AB3A1C770AD41CB51
                                              Function 002E5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002F0DB6: std::exception::exception.LIBCMT ref: 002F0DEC
                                                • Part of subcall function 002F0DB6: __CxxThrowException@8.LIBCMT ref: 002F0E01
                                              • _memmove.LIBCMT ref: 00320258
                                              • _memmove.LIBCMT ref: 0032036D
                                              • _memmove.LIBCMT ref: 00320414
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                                              • String ID:
                                              • API String ID: 1300846289-0
                                              • Opcode ID: 92b6c7a047ee871d318d0fa8d6555797971a5f14b9ad79a9f7561d4238e20610
                                              • Instruction ID: f2962a8cd65a2dfe10ff328473e34dfe66ba82aa113f164bc8e11d084c97cc7f
                                              • Opcode Fuzzy Hash: 92b6c7a047ee871d318d0fa8d6555797971a5f14b9ad79a9f7561d4238e20610
                                              • Instruction Fuzzy Hash: E602D270A20219DBCF09DF65D981ABEBBB5EF44300F548069E806DB356EB34DD64CB91
                                              Function 002D1287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 002D19FA
                                              • GetSysColor.USER32(0000000F), ref: 002D1A4E
                                              • SetBkColor.GDI32(?,00000000), ref: 002D1A61
                                                • Part of subcall function 002D1290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 002D12D8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ColorDialogNtdllProc_$LongWindow
                                              • String ID:
                                              • API String ID: 591255283-0
                                              • Opcode ID: f51e0a664d0218c620a61480a403676a10838b724bc51acf6d84be60fca0caa2
                                              • Instruction ID: d16a533fc268a3f2354eb9035b7a3371bc63d0e905495d77ecbced884a685839
                                              • Opcode Fuzzy Hash: f51e0a664d0218c620a61480a403676a10838b724bc51acf6d84be60fca0caa2
                                              • Instruction Fuzzy Hash: 88A18770136655BEE72BAE288C68EBF255CDB46346F20011BF402D6BE6CB608D70C3B1
                                              Function 00346747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00347D8B: inet_addr.WS2_32(00000000), ref: 00347DB6
                                              • socket.WS2_32(00000002,00000002,00000011), ref: 0034679E
                                              • WSAGetLastError.WS2_32(00000000), ref: 003467C7
                                              • bind.WS2_32(00000000,?,00000010), ref: 00346800
                                              • WSAGetLastError.WS2_32(00000000), ref: 0034680D
                                              • closesocket.WS2_32(00000000), ref: 00346821
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                              • String ID:
                                              • API String ID: 99427753-0
                                              • Opcode ID: e33ddc154a8abb906f3775d1a636938433761e9c5a1a16ed40a928876c36cbec
                                              • Instruction ID: 40eb8014d2e984f75a2f1f417630f6c4f6585140921914677d3448669e011181
                                              • Opcode Fuzzy Hash: e33ddc154a8abb906f3775d1a636938433761e9c5a1a16ed40a928876c36cbec
                                              • Instruction Fuzzy Hash: C341C275A00210AFDB11BF68CC87F2E77E89F09B14F048459F956AB3D2CA70AD508B92
                                              Function 00355376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                              • String ID:
                                              • API String ID: 292994002-0
                                              • Opcode ID: 3237bf5d4f4885324914b7da3eae6804af4fc39e7ca7e9c9771086f4171f2ed3
                                              • Instruction ID: ea644aefcb7d7af487cfc13d0624c12a6f34a1772f4b816956ede65e342ebec7
                                              • Opcode Fuzzy Hash: 3237bf5d4f4885324914b7da3eae6804af4fc39e7ca7e9c9771086f4171f2ed3
                                              • Instruction Fuzzy Hash: 4B11B631300A115FD7236F26DC54F6E7B9DEF457A2F424429FC49D7261DB70AD018A90
                                              Function 003280A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003280C0
                                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003280CA
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003280D9
                                              • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 003280E0
                                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003280F6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 47921759-0
                                              • Opcode ID: 9f6fc1b5c2a4e2703e780a8e4eeb408c03cebbbf3e5e93ebb90d1a1565faf420
                                              • Instruction ID: 385efd2fe8638a079d918ef34347d0746ca33826d19edb1e391bac5160d09848
                                              • Opcode Fuzzy Hash: 9f6fc1b5c2a4e2703e780a8e4eeb408c03cebbbf3e5e93ebb90d1a1565faf420
                                              • Instruction Fuzzy Hash: DCF06235246314AFEB120FA5EC8DE6B3BACEF49756F040025F945C71A0CB61ED51DA60
                                              Function 0034EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateToolhelp32Snapshot.KERNEL32 ref: 0034EE3D
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 0034EE4B
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                              • Process32NextW.KERNEL32(00000000,?), ref: 0034EF0B
                                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0034EF1A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                              • String ID:
                                              • API String ID: 2576544623-0
                                              • Opcode ID: 7a82ff4e74a84bd9a2860b43637e7522d5f43ca1269e6f1454b280c090911467
                                              • Instruction ID: e358190d14dd5ef5390dfccfec9d7d13c489a100fea6c7a82ca9aeb9d6f00e55
                                              • Opcode Fuzzy Hash: 7a82ff4e74a84bd9a2860b43637e7522d5f43ca1269e6f1454b280c090911467
                                              • Instruction Fuzzy Hash: CB517B71514710AFD311EF24D881EABB7E8FF94710F10482EF9959B2A1EB70AD58CB92
                                              Function 0035C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • GetCursorPos.USER32(?), ref: 0035C4D2
                                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0030B9AB,?,?,?,?,?), ref: 0035C4E7
                                              • GetCursorPos.USER32(?), ref: 0035C534
                                              • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,0030B9AB,?,?,?), ref: 0035C56E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                              • String ID:
                                              • API String ID: 1423138444-0
                                              • Opcode ID: c1bea2caeef03bf06e881c8ae690f0a9b7c30556b60e9e7a8cb74bc7c7ba5cbd
                                              • Instruction ID: 62e96c5cf80efa1ce4e2cd16b33b580a11d9862913c3e2046e538beecab06492
                                              • Opcode Fuzzy Hash: c1bea2caeef03bf06e881c8ae690f0a9b7c30556b60e9e7a8cb74bc7c7ba5cbd
                                              • Instruction Fuzzy Hash: A831C135610218EFCF178F99C858EAA7BB9EB0A311F044469FD058B272D731AD54DFA4
                                              Function 002D1290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 002D12D8
                                              • GetClientRect.USER32(?,?), ref: 0030B5FB
                                              • GetCursorPos.USER32(?), ref: 0030B605
                                              • ScreenToClient.USER32(?,?), ref: 0030B610
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                              • String ID:
                                              • API String ID: 1010295502-0
                                              • Opcode ID: 9aa06ab61970c02be7ed8fc43acdebcf497ddc74529ae1a815de6b23806cfc17
                                              • Instruction ID: 362132919169a30af34d475339472279f630bc798ff55cde04e051ba3d7c0dfe
                                              • Opcode Fuzzy Hash: 9aa06ab61970c02be7ed8fc43acdebcf497ddc74529ae1a815de6b23806cfc17
                                              • Instruction Fuzzy Hash: 81116A35A20129FFCB02EF98D8899EE77B9FB05301F000456F901E7650D731BE618BA5
                                              Function 0032E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0032E628
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: lstrlen
                                              • String ID: ($|
                                              • API String ID: 1659193697-1631851259
                                              • Opcode ID: 274e0adf6280c874488deb38ded1a2f3c2ed352d0eea4257bb4b64739d749f97
                                              • Instruction ID: 244fd08efb5d768bcd8c1fb6116e493c058476bb13bef5faa8d943188a43a990
                                              • Opcode Fuzzy Hash: 274e0adf6280c874488deb38ded1a2f3c2ed352d0eea4257bb4b64739d749f97
                                              • Instruction Fuzzy Hash: DC323675A007159FDB29CF19D48196AB7F0FF48320B16C46EE89ADB7A1E770E941CB40
                                              Function 003422EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0034180A,00000000), ref: 003423E1
                                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00342418
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Internet$AvailableDataFileQueryRead
                                              • String ID:
                                              • API String ID: 599397726-0
                                              • Opcode ID: e7bdcf907b3da7f1f9d41f986b0ddb4f61db116a14c07c0503ddcefb0429adaa
                                              • Instruction ID: f12ab99569877eb223c4bdb234f169588460d3a1ba207c4d421a100fe17b7c2d
                                              • Opcode Fuzzy Hash: e7bdcf907b3da7f1f9d41f986b0ddb4f61db116a14c07c0503ddcefb0429adaa
                                              • Instruction Fuzzy Hash: 43411575900309BFEB12DE96DC81EBBB7FCEB40354F50406AFA00BB241DA74BE419A60
                                              Function 0033B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0033B343
                                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0033B39D
                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0033B3EA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ErrorMode$DiskFreeSpace
                                              • String ID:
                                              • API String ID: 1682464887-0
                                              • Opcode ID: 1213a040c0dbe7b4a3911ed62da45013a1b36484f9874dfcaaafbdec5461cf91
                                              • Instruction ID: d1ae221be41763973aa9fe9cf20f73f42fbbd19e113e85a837d8683997e42b8e
                                              • Opcode Fuzzy Hash: 1213a040c0dbe7b4a3911ed62da45013a1b36484f9874dfcaaafbdec5461cf91
                                              • Instruction Fuzzy Hash: 4C214F35A00618DFCB01EFA5D881AEDBBB8FF49310F1480AAE905EB361CB319955CB50
                                              Function 003287E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002F0DB6: std::exception::exception.LIBCMT ref: 002F0DEC
                                                • Part of subcall function 002F0DB6: __CxxThrowException@8.LIBCMT ref: 002F0E01
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0032882B
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00328858
                                              • GetLastError.KERNEL32 ref: 00328865
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                              • String ID:
                                              • API String ID: 1922334811-0
                                              • Opcode ID: 34b763dbe3422dd34d84b507f9312cd7fee27fb42c4b5b676ca40df8fe371eee
                                              • Instruction ID: 47edef6c518c2485624cc192ccb781c554c498b03798eed5e3266fc41582def1
                                              • Opcode Fuzzy Hash: 34b763dbe3422dd34d84b507f9312cd7fee27fb42c4b5b676ca40df8fe371eee
                                              • Instruction Fuzzy Hash: 06116DB2814304AFE719DFA4EC85D6BB7ACFB44711B24852EE45597251EB30BC408B60
                                              Function 0032874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00328774
                                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0032878B
                                              • FreeSid.ADVAPI32(?), ref: 0032879B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                              • String ID:
                                              • API String ID: 3429775523-0
                                              • Opcode ID: f48b397172f87bed5999cf224e4c6ffdf36231288d725ed5293dfdbf98cccea1
                                              • Instruction ID: 41e76f7b2b9d12ddf0435d37a95d7dea0e353c201b7665963c670db31363d06e
                                              • Opcode Fuzzy Hash: f48b397172f87bed5999cf224e4c6ffdf36231288d725ed5293dfdbf98cccea1
                                              • Instruction Fuzzy Hash: 1FF03775A11308BFDB00DFE4DC89ABEBBBCEF08311F1044A9A902E2191E6716A048B50
                                              Function 00338889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • __time64.LIBCMT ref: 0033889B
                                                • Part of subcall function 002F520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00338F6E,00000000,?,?,?,?,0033911F,00000000,?), ref: 002F5213
                                                • Part of subcall function 002F520A: __aulldiv.LIBCMT ref: 002F5233
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Time$FileSystem__aulldiv__time64
                                              • String ID: 0e9
                                              • API String ID: 2893107130-2628070248
                                              • Opcode ID: d597c439547ee79c64ca9f1e7a5cb93c0be34da02c6c4ca2b3b38020cb01e98f
                                              • Instruction ID: a3bf0fa9c3cc3ad85466c01e9d7f301b39bc9f62724ea4cf8f710a6ad09d57da
                                              • Opcode Fuzzy Hash: d597c439547ee79c64ca9f1e7a5cb93c0be34da02c6c4ca2b3b38020cb01e98f
                                              • Instruction Fuzzy Hash: 1521DF32635610CBC72ACF29D881A52B3E5EFA5310F298E2CE1F5CF2D0CA35A905CB54
                                              Function 002D16DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                                • Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC
                                              • GetParent.USER32(?), ref: 0030B7BA
                                              • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,002D19B3,?,?,?,00000006,?), ref: 0030B834
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: LongWindow$DialogNtdllParentProc_
                                              • String ID:
                                              • API String ID: 314495775-0
                                              • Opcode ID: 6e67545ccfeac6218863b7d5f91675c60deac8e7a40703f4863188de1f349d56
                                              • Instruction ID: 963cea4c22ad6947049db966f98eb4d37f37debd9f6a95d835bf0c28c35200ab
                                              • Opcode Fuzzy Hash: 6e67545ccfeac6218863b7d5f91675c60deac8e7a40703f4863188de1f349d56
                                              • Instruction Fuzzy Hash: C421E134205105BFDB228F28C898DA97BAAEF0A320F584252F5695B7F2C7329D71DB50
                                              Function 0033C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?), ref: 0033C6FB
                                              • FindClose.KERNEL32(00000000), ref: 0033C72B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID:
                                              • API String ID: 2295610775-0
                                              • Opcode ID: 3949e93540a7d8f99337e996ac7472013be4c50c5d8e34b295f4c70896b0338c
                                              • Instruction ID: db19f9e2a0bfd3c98baf48086507ebce16428c2768d4dab0f3dcb3f7652c880d
                                              • Opcode Fuzzy Hash: 3949e93540a7d8f99337e996ac7472013be4c50c5d8e34b295f4c70896b0338c
                                              • Instruction Fuzzy Hash: 96118E766102009FDB10EF29D885A2AF7E8EF85325F00851EF9A9D73A1DB30AC01CF81
                                              Function 0035C57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0030B93A,?,?,?), ref: 0035C5F1
                                                • Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC
                                              • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0035C5D7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: LongWindow$DialogMessageNtdllProc_Send
                                              • String ID:
                                              • API String ID: 1273190321-0
                                              • Opcode ID: af4d0bb4192abce590ad128fe56a994c2dbff2d6410000c387674888feaf215e
                                              • Instruction ID: cda450900f7b64b6b28cbf5c00d8f4f086014a716b6d43c540802c5b6d624ea3
                                              • Opcode Fuzzy Hash: af4d0bb4192abce590ad128fe56a994c2dbff2d6410000c387674888feaf215e
                                              • Instruction Fuzzy Hash: C401DE30200304AFCB235F55DC44E6A3BAAFB86366F140929F9411B2B0CB32A859DB90
                                              Function 0035C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ClientToScreen.USER32(?,?), ref: 0035C961
                                              • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,0030BA16,?,?,?,?,?), ref: 0035C98A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ClientDialogNtdllProc_Screen
                                              • String ID:
                                              • API String ID: 3420055661-0
                                              • Opcode ID: b5181f438b4e5b9007cfb98aac8378dd7af2072f805389a5bb1412130228b33d
                                              • Instruction ID: 17bf3a68916b803104bff14b2ee252d51086b794ba65a1cccbd62d24c91fd6ea
                                              • Opcode Fuzzy Hash: b5181f438b4e5b9007cfb98aac8378dd7af2072f805389a5bb1412130228b33d
                                              • Instruction Fuzzy Hash: E0F0677241021CFFEB068F85DC089AE7BBCFB08312F00016AF901A2160D3716A60EBA0
                                              Function 0033A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00349468,?,0035FB84,?), ref: 0033A097
                                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00349468,?,0035FB84,?), ref: 0033A0A9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ErrorFormatLastMessage
                                              • String ID:
                                              • API String ID: 3479602957-0
                                              • Opcode ID: aaad4aa63df7794165768948082eb5145e894279f1b56c693053c2883e2709d6
                                              • Instruction ID: d35b8d6c859ac6d26937355ddf7f7ade4d83e64e2ec5e356350a7ca61c4fbf3f
                                              • Opcode Fuzzy Hash: aaad4aa63df7794165768948082eb5145e894279f1b56c693053c2883e2709d6
                                              • Instruction Fuzzy Hash: 52F0823510532DABDB22AFA4CC88FEA776DBF08361F004166F949D7191D7309944CBA1
                                              Function 0035CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EC), ref: 0035CA84
                                              • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,0030B995,?,?,?,?), ref: 0035CAB2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 909293fb632f6b67b16d63ec0cc7234874985eba14c7f5bb2bbceb1e6834c138
                                              • Instruction ID: ecdc17f0baa39d4ed3b5901e013fd49a3b54e8a8abed1d5ba192e09bb5f759eb
                                              • Opcode Fuzzy Hash: 909293fb632f6b67b16d63ec0cc7234874985eba14c7f5bb2bbceb1e6834c138
                                              • Instruction Fuzzy Hash: 58E04F70100318BFEB169F19DC1AFBA3B58EB04752F508515F956D91F1C67098509760
                                              Function 003281CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00328309), ref: 003281E0
                                              • CloseHandle.KERNEL32(?,?,00328309), ref: 003281F2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AdjustCloseHandlePrivilegesToken
                                              • String ID:
                                              • API String ID: 81990902-0
                                              • Opcode ID: cf78ad93449b2873653ab7a4b8e577183655cbdbcc8fb7df69093b0d13f97f11
                                              • Instruction ID: b1efb6b6fdfe3cb12462b182f502370534c3e1c35b5065b6e17baba4bbfefbec
                                              • Opcode Fuzzy Hash: cf78ad93449b2873653ab7a4b8e577183655cbdbcc8fb7df69093b0d13f97f11
                                              • Instruction Fuzzy Hash: 82E0E671011610AFE7262B60FC05D77B7EDEF04351B14883DF55585471DB616CA1DB50
                                              Function 002FA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,00364178,002F8D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 002FA15A
                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 002FA163
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: ebaf47ad8bf0f24390ae7ddad7698e105472ad67f38b47b5816f27502fca8378
                                              • Instruction ID: 973e0738fb69f4726c8f1992845adcf4919a085a2bdd39ec21890124f5a9c66e
                                              • Opcode Fuzzy Hash: ebaf47ad8bf0f24390ae7ddad7698e105472ad67f38b47b5816f27502fca8378
                                              • Instruction Fuzzy Hash: 2EB09235054308AFEA022F91ED09B893F7CEB44BA3F404020F60D84070CB6254508A91
                                              Function 002FF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 419d4f91e0887aafb8a4cafdb2c22a1544b57ced96be7142f58349cff2459d2e
                                              • Instruction ID: 1e689d55fbea00f81d6a12062b6967b1c89f8ce78ed7e30fa6cde7fe7c55fe9a
                                              • Opcode Fuzzy Hash: 419d4f91e0887aafb8a4cafdb2c22a1544b57ced96be7142f58349cff2459d2e
                                              • Instruction Fuzzy Hash: 7D321422D39F454DD7639A34C932335A24CAFB73C8F55D737E82AB5AA5EB68C4934100
                                              Function 0030242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 386c251a7845ef3045f878a15bcb77aa074f104c24ffada56d31e366713c621d
                                              • Instruction ID: 829a9f27e0249b1db9337add5aa48185a8d5a0dcadf2d3405b05138ceec06ea6
                                              • Opcode Fuzzy Hash: 386c251a7845ef3045f878a15bcb77aa074f104c24ffada56d31e366713c621d
                                              • Instruction Fuzzy Hash: 63B10320D2AF414DD32396398835336BB5CAFBB2C5F51D71BFC2674E62EB6285834641
                                              Function 0035D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 0035D838
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 5e73a9c169f53c9635c602da93764e611e57e2bdec7e5ad0e2215ccbc498bd6d
                                              • Instruction ID: 71b965c387fcb6ba55df2f9fd97cd556e790eb2c3805203a6da92c88717450b1
                                              • Opcode Fuzzy Hash: 5e73a9c169f53c9635c602da93764e611e57e2bdec7e5ad0e2215ccbc498bd6d
                                              • Instruction Fuzzy Hash: 0011E734204655ABEB375E2CCC06F7A3718D745722F604315FD255FAF2CA609E0893A4
                                              Function 0035D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC
                                              • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,0030B952,?,?,?,?,00000000,?), ref: 0035D432
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 2ce05fa0a183acc1b1fc9083a8276f063ac0060a8862ff6e15666f2ce9c07a8d
                                              • Instruction ID: dd0d124eb73eba1e2a1f51b9174ce3f12206fc9d63caafbc306dbf6dcd33b0c0
                                              • Opcode Fuzzy Hash: 2ce05fa0a183acc1b1fc9083a8276f063ac0060a8862ff6e15666f2ce9c07a8d
                                              • Instruction Fuzzy Hash: DB012875600114AFDF278F26D845EB93B55EF46323F454125FD061B2B1C731BC5597A0
                                              Function 002D189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,002D1B04,?,?,?,?,?), ref: 002D18E2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 351a8cdb33dfad63fc9faaa56bd849edc73c93e8b6138eafc9a46e896fa97a64
                                              • Instruction ID: 66c33c71ab9f426bc398f714e2b3b29cccf07369e13d2c50b6df68c20aab73fc
                                              • Opcode Fuzzy Hash: 351a8cdb33dfad63fc9faaa56bd849edc73c93e8b6138eafc9a46e896fa97a64
                                              • Instruction Fuzzy Hash: DCF0BE34610219EFDB0ADF44D85092637AAEB00310F50412AF8528B3A1C732DDB0EB50
                                              Function 0035C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 0035C8FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: DialogNtdllProc_
                                              • String ID:
                                              • API String ID: 3239928679-0
                                              • Opcode ID: c67d972cc8a0b40dbc024e9eb67af45a62d2581ed6f3d8a20a5ea5b5602ecea1
                                              • Instruction ID: bd8df18cf5a75061415e64c857386eee34c0ad35b9339e81dac03695b256249b
                                              • Opcode Fuzzy Hash: c67d972cc8a0b40dbc024e9eb67af45a62d2581ed6f3d8a20a5ea5b5602ecea1
                                              • Instruction Fuzzy Hash: 77F03935214259AFDF229E58DC05FD63B99AB09320F544019BA21672E2CA706920D7A0
                                              Function 00334C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00334C4A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: mouse_event
                                              • String ID:
                                              • API String ID: 2434400541-0
                                              • Opcode ID: 4d8f34f3f6e5ab87402466d9be8375fbded679016c72709e91d2501b3792cfc3
                                              • Instruction ID: 1365807d5722b8fe21c06290830feca36722e22d5d42a869e2a5353d03a9d564
                                              • Opcode Fuzzy Hash: 4d8f34f3f6e5ab87402466d9be8375fbded679016c72709e91d2501b3792cfc3
                                              • Instruction Fuzzy Hash: F1D05E9116530938EC1F0720AE8FF7A010CE300782FD1A14971028A1C1FC847C809030
                                              Function 003287B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00328389), ref: 003287D1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: LogonUser
                                              • String ID:
                                              • API String ID: 1244722697-0
                                              • Opcode ID: c3dfdbd9dd837dacfcc9ade63fe76a90a531a349e137de00ae4758895de05787
                                              • Instruction ID: 03d37a13bd640d0ae5f34d684c845726c520d6c988c475e6facdb45665ee1d22
                                              • Opcode Fuzzy Hash: c3dfdbd9dd837dacfcc9ade63fe76a90a531a349e137de00ae4758895de05787
                                              • Instruction Fuzzy Hash: 1CD05E3226060EAFEF018EA4DC01EBE3B69EB04B01F408111FE15C60A1C775D835AB60
                                              Function 0035C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,0030B9BC,?,?,?,?,?,?), ref: 0035C934
                                                • Part of subcall function 0035B635: _memset.LIBCMT ref: 0035B644
                                                • Part of subcall function 0035B635: _memset.LIBCMT ref: 0035B653
                                                • Part of subcall function 0035B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00396F20,00396F64), ref: 0035B682
                                                • Part of subcall function 0035B635: CloseHandle.KERNEL32 ref: 0035B694
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                              • String ID:
                                              • API String ID: 2364484715-0
                                              • Opcode ID: e0f46c68adc5f41ea3250d9f3fa6af571e019769e3ef94ece4e58cc5f32319fd
                                              • Instruction ID: de45fa0451980852bf51c633713df65ceb48892ccc307d0396eda5e9e46f43f3
                                              • Opcode Fuzzy Hash: e0f46c68adc5f41ea3250d9f3fa6af571e019769e3ef94ece4e58cc5f32319fd
                                              • Instruction Fuzzy Hash: FAE01231220208EFCB02AF44DC10E8637A9FB08306F018011FE050B2B2C731A860EF50
                                              Function 002D167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,002D1AEE,?,?,?), ref: 002D16AB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: DialogLongNtdllProc_Window
                                              • String ID:
                                              • API String ID: 2065330234-0
                                              • Opcode ID: 500dce7189915b62a3392866b690fa7782059d0a9f81764f7bb3c30488ee1b7c
                                              • Instruction ID: 12126b9e080008990c24848e2de21ff38123797d93c611fa7b2a28c280080c0c
                                              • Opcode Fuzzy Hash: 500dce7189915b62a3392866b690fa7782059d0a9f81764f7bb3c30488ee1b7c
                                              • Instruction Fuzzy Hash: AFE0EC35614208FBCF07AF90DC11E653B2AFB59310F508459FA450A2A1CA33A961DB50
                                              Function 0035C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL ref: 0035C885
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: DialogNtdllProc_
                                              • String ID:
                                              • API String ID: 3239928679-0
                                              • Opcode ID: e199d4be6bd59347a38f6df9be6bfca53b0a60e766cc0030a94d7518c2e00984
                                              • Instruction ID: aa1d228abc34a6ab733650b2d961c931de98781f4a2652656a2b0880b9fb5b06
                                              • Opcode Fuzzy Hash: e199d4be6bd59347a38f6df9be6bfca53b0a60e766cc0030a94d7518c2e00984
                                              • Instruction Fuzzy Hash: A7E0E23520420CEFCB02DF88D884E863BA9AB1D300F004054FA0547272C771A820EB61
                                              Function 0035C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • NtdllDialogWndProc_W.NTDLL ref: 0035C8B4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: DialogNtdllProc_
                                              • String ID:
                                              • API String ID: 3239928679-0
                                              • Opcode ID: 3e2ab9250f248fd9de9d3b008fe9808328f9cc257a1dd962845d8a40be1c29fb
                                              • Instruction ID: 176c3ad5ea104a894343fb0883554e70a29160a439fd274b75a4cd9e44be5dea
                                              • Opcode Fuzzy Hash: 3e2ab9250f248fd9de9d3b008fe9808328f9cc257a1dd962845d8a40be1c29fb
                                              • Instruction Fuzzy Hash: AFE0E23520420CEFCB02DF88D844D863BA9AB1D300F004054FA0547272C772A860EBA1
                                              Function 002D16B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                                • Part of subcall function 002D201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002D20D3
                                                • Part of subcall function 002D201B: KillTimer.USER32(-00000001,?,?,?,?,002D16CB,00000000,?,?,002D1AE2,?,?), ref: 002D216E
                                              • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,002D1AE2,?,?), ref: 002D16D4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                              • String ID:
                                              • API String ID: 2797419724-0
                                              • Opcode ID: 9985e4d406550f14ce9c1e98951015a739e4160113fb1217b0691b3d69034e41
                                              • Instruction ID: e564b230a493eb42263be2a8eb50efd12dcf7f74286f59f57960e3969b590644
                                              • Opcode Fuzzy Hash: 9985e4d406550f14ce9c1e98951015a739e4160113fb1217b0691b3d69034e41
                                              • Instruction Fuzzy Hash: 1CD01230140318FBDE132F91DC17F493A1D9B24751F508421BA04692E3CA71AD60A998
                                              Function 002FA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 002FA12A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: 8873933b1294cd451c2584fe849046c3a8796cc1d2f636c0ac5fc41db15bd192
                                              • Instruction ID: d97d3514d2958cdb527f79e87841708b558964224c54773251e57d74d40a9f6b
                                              • Opcode Fuzzy Hash: 8873933b1294cd451c2584fe849046c3a8796cc1d2f636c0ac5fc41db15bd192
                                              • Instruction Fuzzy Hash: 1EA0113000020CAB8A022F82EC08888BFACEA002A2B008020F80C800328B32A8208A80
                                              Function 002E52A5 Relevance: 1.5, Strings: 1, Instructions: 240COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: >@ABCRRRRRDEFGHIJKLMNO
                                              • API String ID: 0-3782972239
                                              • Opcode ID: 422d58b70827847f0625c345d1c38fc6b2ad789fd3806e5de562aa419b12d4ab
                                              • Instruction ID: 084861131e0496df6b5b220792211b635924c748f9d82ad4a9e44b726e3fa69f
                                              • Opcode Fuzzy Hash: 422d58b70827847f0625c345d1c38fc6b2ad789fd3806e5de562aa419b12d4ab
                                              • Instruction Fuzzy Hash: C681C07615D7D58FC30B8B3488666D27FB1EF17214B1A45EEC482CF4B3E2695886CB22
                                              Function 002E8808 Relevance: .6, Instructions: 590COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 298c5820126610eb6cc95b56cd1e4736d44779fd66f28c91d5920c91dd9ee36e
                                              • Instruction ID: 045b3f7a7028d847a0c77d4c7714254937611f316464ec4953a68accb9a117c3
                                              • Opcode Fuzzy Hash: 298c5820126610eb6cc95b56cd1e4736d44779fd66f28c91d5920c91dd9ee36e
                                              • Instruction Fuzzy Hash: 6F226D309646A7CBDF3A8F16E49437C77A1FF00304FA98466D9CA8B692DB709DA1C741
                                              Function 002F21C5 Relevance: .3, Instructions: 345COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                              • Instruction ID: c5bc39ae2024bf5f6483545df378e62ce84ee7f1dfce0b44a0d66c0a209fff28
                                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                              • Instruction Fuzzy Hash: 05C196322250978ADF2D4A3A843443EFAA15EA37F135A077DD9B3DB1D4EE10C939D620
                                              Function 002F25FA Relevance: .3, Instructions: 341COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                              • Instruction ID: 35938fd69ecab2aeed45f421bd6a19491f888d3f45c03b18ba6ff3e23cc794fa
                                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                              • Instruction Fuzzy Hash: EFC194322251978ADF2D4A3AC43443EFAA15EA37F135A077DD5B2DB1D4EE20C939D620
                                              Function 002F1978 Relevance: .3, Instructions: 323COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                              • Instruction ID: 093fb94657d4de045baf52954cf402890033007cadf2982bde8a8a1b01e47166
                                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                              • Instruction Fuzzy Hash: 59C1713222519789DF2D4A3AC47453EFAA15EA2BF139A077DD5B2CB1C4EE20C935D620
                                              Function 014FAF48 Relevance: .1, Instructions: 92COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                              • Instruction ID: 1e280b50fbe282816cfe614e224cc32adf641f2a108803db11c6406811028d1b
                                              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                              • Instruction Fuzzy Hash: 9B41C471D1051CDBCF48CFADC991AEEBBF1AF88201F548299D516AB345D730AB41DB50
                                              Function 014FADD8 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                              • Instruction ID: cee391677406fc78eb1fc7b65ef7ca1b09135e9338dfc80c1ae85aad8fe48c7c
                                              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                              • Instruction Fuzzy Hash: 93019278A00209EFCB44DF98C5909AEF7F5FB48310F20859AE909A7711D730AE41DB80
                                              Function 014FAE38 Relevance: .0, Instructions: 35COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                              • Instruction ID: 15692c4eb99f6701ebd8b0873c848845f0dae0a0f7f420e124faf4312f1b06e2
                                              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                              • Instruction Fuzzy Hash: DC019278A00209EFCB44DF98C5909AEF7F5FB48310F20859AD919A7311D730AE41DB80
                                              Function 014F9786 Relevance: .0, Instructions: 17COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
                                              • Instruction ID: 12cbbee2ad97ca28ebd479973cedbf0f86dc4bb29c9604106d163cb5d8cfbbc3
                                              • Opcode Fuzzy Hash: 39883051ad0acd5fc3a9b65a285c220fc8651299cfdca9718842298b505bee9e
                                              • Instruction Fuzzy Hash: F6C08C300453C89ADB028759E08C7407BEDAB0AA18F1400E4D8080BA02C3A96A048A45
                                              Function 002DC49A Relevance: .0, Instructions: 11COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 9dd7fe9de75e44de9abc4087ab3ccb8164f9d5f7699dcabc653c1d5b2b8c711e
                                              • Instruction ID: 9dc67dc57872a1e7961f41720b128a346c41a9ee8530b54386f3d33372706e6d
                                              • Opcode Fuzzy Hash: 9dd7fe9de75e44de9abc4087ab3ccb8164f9d5f7699dcabc653c1d5b2b8c711e
                                              • Instruction Fuzzy Hash: 2BD012DB8085AF4FC343C9347A641D0FF21282501834E4ADF44407349BD1105D37D742
                                              Function 014F9798 Relevance: .0, Instructions: 6COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240612409.00000000014F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 014F7000, based on PE: false
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_14f7000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                              Function 00347806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 0034785B
                                              • DeleteObject.GDI32(00000000), ref: 0034786D
                                              • DestroyWindow.USER32 ref: 0034787B
                                              • GetDesktopWindow.USER32 ref: 00347895
                                              • GetWindowRect.USER32(00000000), ref: 0034789C
                                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 003479DD
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 003479ED
                                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00347A35
                                              • GetClientRect.USER32(00000000,?), ref: 00347A41
                                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00347A7B
                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00347A9D
                                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00347AB0
                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00347ABB
                                              • GlobalLock.KERNEL32(00000000), ref: 00347AC4
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00347AD3
                                              • GlobalUnlock.KERNEL32(00000000), ref: 00347ADC
                                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00347AE3
                                              • GlobalFree.KERNEL32(00000000), ref: 00347AEE
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,88C00000), ref: 00347B00
                                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00362CAC,00000000), ref: 00347B16
                                              • GlobalFree.KERNEL32(00000000), ref: 00347B26
                                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00347B4C
                                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00347B6B
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00347B8D
                                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00347D7A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                              • String ID: $AutoIt v3$DISPLAY$static
                                              • API String ID: 2211948467-2373415609
                                              • Opcode ID: 239a4042eed92db15c4f6e94df25218054ad5f2518d017c74fa1c61155178579
                                              • Instruction ID: 2992540ca73f247f2d4cade64dc2d6d5428b2707453b499fb98aa0d64a2ed77e
                                              • Opcode Fuzzy Hash: 239a4042eed92db15c4f6e94df25218054ad5f2518d017c74fa1c61155178579
                                              • Instruction Fuzzy Hash: 42027971910205EFDB16DFA4DC89EAE7BBDEF48311F158569F905AB2A0CB30AD41CB60
                                              Function 0035356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?,0035F910), ref: 00353627
                                              • IsWindowVisible.USER32(?), ref: 0035364B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: BuffCharUpperVisibleWindow
                                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                              • API String ID: 4105515805-45149045
                                              • Opcode ID: 5c5a53d49281f1cdf2ff5216edebf5d4415a9dfd0769c023b390807e0ececc47
                                              • Instruction ID: 0a6fa56b1710bfa2d7f978c708c945b03be1fdf15c4dadfd18ed37194cb97036
                                              • Opcode Fuzzy Hash: 5c5a53d49281f1cdf2ff5216edebf5d4415a9dfd0769c023b390807e0ececc47
                                              • Instruction Fuzzy Hash: 65D18A342143019BCB06EF10C992E6EB7A5AF94395F154469FD829B3B2DB31EE4ECB41
                                              Function 0035A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTextColor.GDI32(?,00000000), ref: 0035A630
                                              • GetSysColorBrush.USER32(0000000F), ref: 0035A661
                                              • GetSysColor.USER32(0000000F), ref: 0035A66D
                                              • SetBkColor.GDI32(?,000000FF), ref: 0035A687
                                              • SelectObject.GDI32(?,00000000), ref: 0035A696
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0035A6C1
                                              • GetSysColor.USER32(00000010), ref: 0035A6C9
                                              • CreateSolidBrush.GDI32(00000000), ref: 0035A6D0
                                              • FrameRect.USER32(?,?,00000000), ref: 0035A6DF
                                              • DeleteObject.GDI32(00000000), ref: 0035A6E6
                                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0035A731
                                              • FillRect.USER32(?,?,00000000), ref: 0035A763
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0035A78E
                                                • Part of subcall function 0035A8CA: GetSysColor.USER32(00000012), ref: 0035A903
                                                • Part of subcall function 0035A8CA: SetTextColor.GDI32(?,?), ref: 0035A907
                                                • Part of subcall function 0035A8CA: GetSysColorBrush.USER32(0000000F), ref: 0035A91D
                                                • Part of subcall function 0035A8CA: GetSysColor.USER32(0000000F), ref: 0035A928
                                                • Part of subcall function 0035A8CA: GetSysColor.USER32(00000011), ref: 0035A945
                                                • Part of subcall function 0035A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0035A953
                                                • Part of subcall function 0035A8CA: SelectObject.GDI32(?,00000000), ref: 0035A964
                                                • Part of subcall function 0035A8CA: SetBkColor.GDI32(?,00000000), ref: 0035A96D
                                                • Part of subcall function 0035A8CA: SelectObject.GDI32(?,?), ref: 0035A97A
                                                • Part of subcall function 0035A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0035A999
                                                • Part of subcall function 0035A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0035A9B0
                                                • Part of subcall function 0035A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0035A9C5
                                                • Part of subcall function 0035A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0035A9ED
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                              • String ID:
                                              • API String ID: 3521893082-0
                                              • Opcode ID: 27060eab3b5a7cab14fb0646ac60aea2597f363aeb7518932259a707165e14ce
                                              • Instruction ID: 979cb1d9311a00967ed349340ddbffb8f9aae112d072b876e37694c801f49bb3
                                              • Opcode Fuzzy Hash: 27060eab3b5a7cab14fb0646ac60aea2597f363aeb7518932259a707165e14ce
                                              • Instruction Fuzzy Hash: 8E916B72008701AFC7129F64DC48E5BBBADFB89322F140B29F9A2961F1D771D944DB52
                                              Function 003474AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(00000000), ref: 003474DE
                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0034759D
                                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003475DB
                                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003475ED
                                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00347633
                                              • GetClientRect.USER32(00000000,?), ref: 0034763F
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00347683
                                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00347692
                                              • GetStockObject.GDI32(00000011), ref: 003476A2
                                              • SelectObject.GDI32(00000000,00000000), ref: 003476A6
                                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003476B6
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003476BF
                                              • DeleteDC.GDI32(00000000), ref: 003476C8
                                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003476F4
                                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 0034770B
                                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00347746
                                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0034775A
                                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 0034776B
                                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0034779B
                                              • GetStockObject.GDI32(00000011), ref: 003477A6
                                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003477B1
                                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003477BB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                              • API String ID: 2910397461-517079104
                                              • Opcode ID: c67fa7b3e4e1bcdb155f404f5e2b3f32cd63965ee4b42dd8f2d1ef03fec8e989
                                              • Instruction ID: 73ee3454cc2fba81c1b67233265a6f63efc58946fc4451ad406cc8bfaa31d779
                                              • Opcode Fuzzy Hash: c67fa7b3e4e1bcdb155f404f5e2b3f32cd63965ee4b42dd8f2d1ef03fec8e989
                                              • Instruction Fuzzy Hash: 81A16CB1A10605BFEB16DBA4DD4AFAE7BADEB09711F004115FA15AB2E0D770AD40CB60
                                              Function 0033AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0033AD1E
                                              • GetDriveTypeW.KERNEL32(?,0035FAC0,?,\\.\,0035F910), ref: 0033ADFB
                                              • SetErrorMode.KERNEL32(00000000,0035FAC0,?,\\.\,0035F910), ref: 0033AF59
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ErrorMode$DriveType
                                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                              • API String ID: 2907320926-4222207086
                                              • Opcode ID: c000eeb2abc5724a53a52b1edf67a6607e729be4713a0dac75a68ace07f27f9c
                                              • Instruction ID: fdc652981650bbea17a1eed279208fdea6da9eec1368c7db0a3e486c41e8b501
                                              • Opcode Fuzzy Hash: c000eeb2abc5724a53a52b1edf67a6607e729be4713a0dac75a68ace07f27f9c
                                              • Instruction Fuzzy Hash: 7D51AFB4658A05AB8B17EB10CDD2CFD73A5EF48700F608196F487AB6D0DB309D41EB42
                                              Function 002D68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                              • API String ID: 1038674560-86951937
                                              • Opcode ID: 089cb879be937b693bad49faa7cfb0b445f1a9161a1332c73b47fc0b0a67520d
                                              • Instruction ID: e2a2cd958aecb5e7fd05c5a180c534a6e83391f2d52d955353db0802748121ed
                                              • Opcode Fuzzy Hash: 089cb879be937b693bad49faa7cfb0b445f1a9161a1332c73b47fc0b0a67520d
                                              • Instruction Fuzzy Hash: B48127B1751219AADB22FB60DC66FFB7768AF05740F044026FD416B2D2EB70DD25CA90
                                              Function 00359A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00359AD2
                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00359B8B
                                              • SendMessageW.USER32(?,00001102,00000002,?), ref: 00359BA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window
                                              • String ID: 0
                                              • API String ID: 2326795674-4108050209
                                              • Opcode ID: d87da3787d6dd765d06229abd09b39cdb4af7348862c9d61573359e34c2880e3
                                              • Instruction ID: 498c950579095433c55d7d4a770b8b3a9951636b9005e10ce1496a4ff3f9e06b
                                              • Opcode Fuzzy Hash: d87da3787d6dd765d06229abd09b39cdb4af7348862c9d61573359e34c2880e3
                                              • Instruction Fuzzy Hash: 2C028A30108341EFD7268F24C849FAABBE9FF49316F04852EF999962B1C7759948CB52
                                              Function 0035A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000012), ref: 0035A903
                                              • SetTextColor.GDI32(?,?), ref: 0035A907
                                              • GetSysColorBrush.USER32(0000000F), ref: 0035A91D
                                              • GetSysColor.USER32(0000000F), ref: 0035A928
                                              • CreateSolidBrush.GDI32(?), ref: 0035A92D
                                              • GetSysColor.USER32(00000011), ref: 0035A945
                                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0035A953
                                              • SelectObject.GDI32(?,00000000), ref: 0035A964
                                              • SetBkColor.GDI32(?,00000000), ref: 0035A96D
                                              • SelectObject.GDI32(?,?), ref: 0035A97A
                                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0035A999
                                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0035A9B0
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0035A9C5
                                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0035A9ED
                                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0035AA14
                                              • InflateRect.USER32(?,000000FD,000000FD), ref: 0035AA32
                                              • DrawFocusRect.USER32(?,?), ref: 0035AA3D
                                              • GetSysColor.USER32(00000011), ref: 0035AA4B
                                              • SetTextColor.GDI32(?,00000000), ref: 0035AA53
                                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0035AA67
                                              • SelectObject.GDI32(?,0035A5FA), ref: 0035AA7E
                                              • DeleteObject.GDI32(?), ref: 0035AA89
                                              • SelectObject.GDI32(?,?), ref: 0035AA8F
                                              • DeleteObject.GDI32(?), ref: 0035AA94
                                              • SetTextColor.GDI32(?,?), ref: 0035AA9A
                                              • SetBkColor.GDI32(?,?), ref: 0035AAA4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                              • String ID:
                                              • API String ID: 1996641542-0
                                              • Opcode ID: b82e4ed8aa416eb5f0307bdc79cdc67fbdd3482c82aef81983d6e8108ff97757
                                              • Instruction ID: 8dc724d66b642cfe5341cd0063647927683346ee33e91cdac10d52473659585f
                                              • Opcode Fuzzy Hash: b82e4ed8aa416eb5f0307bdc79cdc67fbdd3482c82aef81983d6e8108ff97757
                                              • Instruction Fuzzy Hash: 3B512C71900618EFDB129FA4DC48EAEBBB9EB08321F114625F911AB2B1D7719A40DF90
                                              Function 003589D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00358AC1
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00358AD2
                                              • CharNextW.USER32(0000014E), ref: 00358B01
                                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00358B42
                                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00358B58
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00358B69
                                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00358B86
                                              • SetWindowTextW.USER32(?,0000014E), ref: 00358BD8
                                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00358BEE
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00358C1F
                                              • _memset.LIBCMT ref: 00358C44
                                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00358C8D
                                              • _memset.LIBCMT ref: 00358CEC
                                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00358D16
                                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00358D6E
                                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00358E1B
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 00358E3D
                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00358E87
                                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00358EB4
                                              • DrawMenuBar.USER32(?), ref: 00358EC3
                                              • SetWindowTextW.USER32(?,0000014E), ref: 00358EEB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                              • String ID: 0
                                              • API String ID: 1073566785-4108050209
                                              • Opcode ID: 234e69f63f465fb62a2db903a2db66c34ed8d5164e908a3460f0175b1ae1928e
                                              • Instruction ID: b5b83f414601b67790e3fb0923df2323d4c70e1c33284f310cddbac03054454d
                                              • Opcode Fuzzy Hash: 234e69f63f465fb62a2db903a2db66c34ed8d5164e908a3460f0175b1ae1928e
                                              • Instruction Fuzzy Hash: 74E16F70901208EFDB229F54CC84EEE7BBDEF09711F118156FD15AA2A0DB708A88DF60
                                              Function 0035488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 003549CA
                                              • GetDesktopWindow.USER32 ref: 003549DF
                                              • GetWindowRect.USER32(00000000), ref: 003549E6
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00354A48
                                              • DestroyWindow.USER32(?), ref: 00354A74
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00354A9D
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00354ABB
                                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00354AE1
                                              • SendMessageW.USER32(?,00000421,?,?), ref: 00354AF6
                                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00354B09
                                              • IsWindowVisible.USER32(?), ref: 00354B29
                                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00354B44
                                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00354B58
                                              • GetWindowRect.USER32(?,?), ref: 00354B70
                                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00354B96
                                              • GetMonitorInfoW.USER32(00000000,?), ref: 00354BB0
                                              • CopyRect.USER32(?,?), ref: 00354BC7
                                              • SendMessageW.USER32(?,00000412,00000000), ref: 00354C32
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                              • String ID: ($0$tooltips_class32
                                              • API String ID: 698492251-4156429822
                                              • Opcode ID: 6f0fa243cba5d9941f7b610c6f41326e4aa4e6010d87cf4808404e50b3ac4a1b
                                              • Instruction ID: ebd72d93317beca2d782241b2efec4696fa9e9cfa3d062be65d0ec5ced104244
                                              • Opcode Fuzzy Hash: 6f0fa243cba5d9941f7b610c6f41326e4aa4e6010d87cf4808404e50b3ac4a1b
                                              • Instruction Fuzzy Hash: EFB18C70614340AFDB09DF64C845F6ABBE8BF88305F00891DF9999B2A1D771EC49CB95
                                              Function 002D27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D28BC
                                              • GetSystemMetrics.USER32(00000007), ref: 002D28C4
                                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002D28EF
                                              • GetSystemMetrics.USER32(00000008), ref: 002D28F7
                                              • GetSystemMetrics.USER32(00000004), ref: 002D291C
                                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 002D2939
                                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 002D2949
                                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 002D297C
                                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 002D2990
                                              • GetClientRect.USER32(00000000,000000FF), ref: 002D29AE
                                              • GetStockObject.GDI32(00000011), ref: 002D29CA
                                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 002D29D5
                                                • Part of subcall function 002D2344: GetCursorPos.USER32(?), ref: 002D2357
                                                • Part of subcall function 002D2344: ScreenToClient.USER32(003957B0,?), ref: 002D2374
                                                • Part of subcall function 002D2344: GetAsyncKeyState.USER32(00000001), ref: 002D2399
                                                • Part of subcall function 002D2344: GetAsyncKeyState.USER32(00000002), ref: 002D23A7
                                              • SetTimer.USER32(00000000,00000000,00000028,002D1256), ref: 002D29FC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                              • String ID: AutoIt v3 GUI
                                              • API String ID: 1458621304-248962490
                                              • Opcode ID: 91970737ba328cc8938338cad52c5ce415f30cb000fcda18308fd4a01247a200
                                              • Instruction ID: 196ba7fc89347e04363b2b3d26ce31e95f54c96926d20a1bd9f52e5a1287c54f
                                              • Opcode Fuzzy Hash: 91970737ba328cc8938338cad52c5ce415f30cb000fcda18308fd4a01247a200
                                              • Instruction Fuzzy Hash: FFB15D7161020AEFDB16DFA8DC55BAE7BB8FB18311F10422AFA15E72A0DB749C51CB50
                                              Function 0033449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _wcscat$C1560_wcscmp_wcscpy_wcsncpy_wcsstr
                                              • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                              • API String ID: 2258151342-1459072770
                                              • Opcode ID: d5852c5a071e4dd4cfe1f461e08770f4614d50cb7e5a82666fc920739720f12e
                                              • Instruction ID: 74ba5d46a41dc827c9ed2b3a43d743ff106ae540b4d8c96054a8864d34b36f9d
                                              • Opcode Fuzzy Hash: d5852c5a071e4dd4cfe1f461e08770f4614d50cb7e5a82666fc920739720f12e
                                              • Instruction Fuzzy Hash: FE41E771950208BBDB12FB748C47EFFB76CDF46750F40007AFA04E6192EB74AA158AA5
                                              Function 0032A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(?,?,00000100), ref: 0032A47A
                                              • __swprintf.LIBCMT ref: 0032A51B
                                              • _wcscmp.LIBCMT ref: 0032A52E
                                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0032A583
                                              • _wcscmp.LIBCMT ref: 0032A5BF
                                              • GetClassNameW.USER32(?,?,00000400), ref: 0032A5F6
                                              • GetDlgCtrlID.USER32(?), ref: 0032A648
                                              • GetWindowRect.USER32(?,?), ref: 0032A67E
                                              • GetParent.USER32(?), ref: 0032A69C
                                              • ScreenToClient.USER32(00000000), ref: 0032A6A3
                                              • GetClassNameW.USER32(?,?,00000100), ref: 0032A71D
                                              • _wcscmp.LIBCMT ref: 0032A731
                                              • GetWindowTextW.USER32(?,?,00000400), ref: 0032A757
                                              • _wcscmp.LIBCMT ref: 0032A76B
                                                • Part of subcall function 002F362C: _iswctype.LIBCMT ref: 002F3634
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                              • String ID: %s%u
                                              • API String ID: 3744389584-679674701
                                              • Opcode ID: 1a8f441b7f03dcb632be12afcf51ad224b17e4451776280764a7048a7bd58b66
                                              • Instruction ID: 33985bea19fcb0e327c8c561c8ee2a0028b5dbfa9a69b6243d8515f1893c8e20
                                              • Opcode Fuzzy Hash: 1a8f441b7f03dcb632be12afcf51ad224b17e4451776280764a7048a7bd58b66
                                              • Instruction Fuzzy Hash: FBA11131204B26AFC71ADF64D884FAAF7E8FF44355F008629F999D2190DB30E955CB92
                                              Function 0032AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetClassNameW.USER32(00000008,?,00000400), ref: 0032AF18
                                              • _wcscmp.LIBCMT ref: 0032AF29
                                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 0032AF51
                                              • CharUpperBuffW.USER32(?,00000000), ref: 0032AF6E
                                              • _wcscmp.LIBCMT ref: 0032AF8C
                                              • _wcsstr.LIBCMT ref: 0032AF9D
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0032AFD5
                                              • _wcscmp.LIBCMT ref: 0032AFE5
                                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 0032B00C
                                              • GetClassNameW.USER32(00000018,?,00000400), ref: 0032B055
                                              • _wcscmp.LIBCMT ref: 0032B065
                                              • GetClassNameW.USER32(00000010,?,00000400), ref: 0032B08D
                                              • GetWindowRect.USER32(00000004,?), ref: 0032B0F6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                              • String ID: @$ThumbnailClass
                                              • API String ID: 1788623398-1539354611
                                              • Opcode ID: b170f36f7d5cb4ad40b4d034048a6c4f6fbbbf46346adbdad9f697980263e135
                                              • Instruction ID: 9688351877334570eb589233798d04e4c4c3432515a51d68c9cd2d0c5211a502
                                              • Opcode Fuzzy Hash: b170f36f7d5cb4ad40b4d034048a6c4f6fbbbf46346adbdad9f697980263e135
                                              • Instruction Fuzzy Hash: 0581D071108319AFDB02DF10D985FAAB7ECEF44354F04846AFD858A0A6DB34ED59CBA1
                                              Function 0032ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                              • API String ID: 1038674560-1810252412
                                              • Opcode ID: 2694619f441679f7f66c2881bad4526b95fa853dab91f7c8981e80fe3b723c6e
                                              • Instruction ID: 4b80ba38608e4fbc464e14f3eaa6e5e0d941dcf00455ed9b60505fea3331c4d8
                                              • Opcode Fuzzy Hash: 2694619f441679f7f66c2881bad4526b95fa853dab91f7c8981e80fe3b723c6e
                                              • Instruction Fuzzy Hash: 6231C430558729A7DA16FA60EE43EFEB7659F10750F30006AF801B12D1FF65AF148A92
                                              Function 00344FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadCursorW.USER32(00000000,00007F8A), ref: 00345013
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 0034501E
                                              • LoadCursorW.USER32(00000000,00007F03), ref: 00345029
                                              • LoadCursorW.USER32(00000000,00007F8B), ref: 00345034
                                              • LoadCursorW.USER32(00000000,00007F01), ref: 0034503F
                                              • LoadCursorW.USER32(00000000,00007F81), ref: 0034504A
                                              • LoadCursorW.USER32(00000000,00007F88), ref: 00345055
                                              • LoadCursorW.USER32(00000000,00007F80), ref: 00345060
                                              • LoadCursorW.USER32(00000000,00007F86), ref: 0034506B
                                              • LoadCursorW.USER32(00000000,00007F83), ref: 00345076
                                              • LoadCursorW.USER32(00000000,00007F85), ref: 00345081
                                              • LoadCursorW.USER32(00000000,00007F82), ref: 0034508C
                                              • LoadCursorW.USER32(00000000,00007F84), ref: 00345097
                                              • LoadCursorW.USER32(00000000,00007F04), ref: 003450A2
                                              • LoadCursorW.USER32(00000000,00007F02), ref: 003450AD
                                              • LoadCursorW.USER32(00000000,00007F89), ref: 003450B8
                                              • GetCursorInfo.USER32(?), ref: 003450C8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Cursor$Load$Info
                                              • String ID:
                                              • API String ID: 2577412497-0
                                              • Opcode ID: 84ac1733f8317929040c192726b6556bcb5422b4452ffedb30b1f697cdf1cd7c
                                              • Instruction ID: 2511d399052ad2aa87e6a3ee705aa4969d325ce9f5fc38c5866699bbfb7fedf0
                                              • Opcode Fuzzy Hash: 84ac1733f8317929040c192726b6556bcb5422b4452ffedb30b1f697cdf1cd7c
                                              • Instruction Fuzzy Hash: 2931D2B1D483196BDF119FB68C8996FBFE8FF08750F50452AA50DEB281DA78A500CF91
                                              Function 0035A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0035A259
                                              • DestroyWindow.USER32(?,?), ref: 0035A2D3
                                                • Part of subcall function 002D7BCC: _memmove.LIBCMT ref: 002D7C06
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0035A34D
                                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0035A36F
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0035A382
                                              • DestroyWindow.USER32(00000000), ref: 0035A3A4
                                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,002D0000,00000000), ref: 0035A3DB
                                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0035A3F4
                                              • GetDesktopWindow.USER32 ref: 0035A40D
                                              • GetWindowRect.USER32(00000000), ref: 0035A414
                                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0035A42C
                                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0035A444
                                                • Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                              • String ID: 0$tooltips_class32
                                              • API String ID: 1297703922-3619404913
                                              • Opcode ID: 6180b01618cfb03777c3e881bb151d22a45266be9d9b33b907fc6b7cd9a2c336
                                              • Instruction ID: 2d5b264c47ec4edb66fd1d6ac6047d84de9f66e16dd87b26f49e9fd8a3c37d04
                                              • Opcode Fuzzy Hash: 6180b01618cfb03777c3e881bb151d22a45266be9d9b33b907fc6b7cd9a2c336
                                              • Instruction Fuzzy Hash: 3E717770144605AFD722CF28CC49F6A7BE9FB88305F04462EF985872B0D775A94ADB52
                                              Function 00354392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00354424
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0035446F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: BuffCharMessageSendUpper
                                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                              • API String ID: 3974292440-4258414348
                                              • Opcode ID: 84181e00011c4ef9065bcb5d759ee9c7c0f35efb7a2e906fb2207ab8c3dec35d
                                              • Instruction ID: 4090365c1374380bb6cb25c4ab531e0b275c3e3df1415dc95c4c5b4017a7dbf8
                                              • Opcode Fuzzy Hash: 84181e00011c4ef9065bcb5d759ee9c7c0f35efb7a2e906fb2207ab8c3dec35d
                                              • Instruction Fuzzy Hash: E591AE702147018FCB09EF10C451A6EB7E1AF85754F058869FC929B7A2DB30ED99CB81
                                              Function 0035B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0035B8B4
                                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003591C2), ref: 0035B910
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0035B949
                                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0035B98C
                                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0035B9C3
                                              • FreeLibrary.KERNEL32(?), ref: 0035B9CF
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0035B9DF
                                              • DestroyCursor.USER32(?), ref: 0035B9EE
                                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0035BA0B
                                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0035BA17
                                                • Part of subcall function 002F2EFD: __wcsicmp_l.LIBCMT ref: 002F2F86
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                              • String ID: .dll$.exe$.icl
                                              • API String ID: 3907162815-1154884017
                                              • Opcode ID: 4541fed27f759283cd53259d3c23e5f5b42ed1989b3eb934e9d2433dfb95dd03
                                              • Instruction ID: 9583154e35108ddb6af8670a51e211af7cfcb015c2d6beee768265c343aee7aa
                                              • Opcode Fuzzy Hash: 4541fed27f759283cd53259d3c23e5f5b42ed1989b3eb934e9d2433dfb95dd03
                                              • Instruction Fuzzy Hash: CF61EF71900208BEEB16DF64CC46FBEB7ACEB08712F104116FE15D61E0DB749994DBA0
                                              Function 0033A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D9837: __itow.LIBCMT ref: 002D9862
                                                • Part of subcall function 002D9837: __swprintf.LIBCMT ref: 002D98AC
                                              • CharLowerBuffW.USER32(?,?), ref: 0033A3CB
                                              • GetDriveTypeW.KERNEL32 ref: 0033A418
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033A460
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033A497
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0033A4C5
                                                • Part of subcall function 002D7BCC: _memmove.LIBCMT ref: 002D7C06
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                              • API String ID: 2698844021-4113822522
                                              • Opcode ID: c0a700c92ea5d058798ce59d665f771f58af889b2724d81e4fbf3aa801738e4c
                                              • Instruction ID: da5755b7ce2a1bfc7ca74fe20f433d6e92f4d52c2811062bcd2d5655703a96ab
                                              • Opcode Fuzzy Hash: c0a700c92ea5d058798ce59d665f771f58af889b2724d81e4fbf3aa801738e4c
                                              • Instruction Fuzzy Hash: 7A516E711147049FC701EF21C99186AB3E8EF94758F50886EF88597361DB31ED1ACF42
                                              Function 0032F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0030E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0032F8DF
                                              • LoadStringW.USER32(00000000,?,0030E029,00000001), ref: 0032F8E8
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0030E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0032F90A
                                              • LoadStringW.USER32(00000000,?,0030E029,00000001), ref: 0032F90D
                                              • __swprintf.LIBCMT ref: 0032F95D
                                              • __swprintf.LIBCMT ref: 0032F96E
                                              • _wprintf.LIBCMT ref: 0032FA17
                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0032FA2E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                              • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                              • API String ID: 984253442-2268648507
                                              • Opcode ID: 4e34c700cd42d2f81cf35f96cba8bcb0c18eb8b3611eabf6107ede8f1dd8464d
                                              • Instruction ID: efb3a644eaa7820e05d1d5e097036910d48553d5c773bf6926fb358bb291034f
                                              • Opcode Fuzzy Hash: 4e34c700cd42d2f81cf35f96cba8bcb0c18eb8b3611eabf6107ede8f1dd8464d
                                              • Instruction Fuzzy Hash: 02414B72814219AACB05FBE0DD96DEEB77CAF14300F500466F505B61A2EB356F59CFA0
                                              Function 0035BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00359207,?,?), ref: 0035BA56
                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00359207,?,?,00000000,?), ref: 0035BA6D
                                              • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00359207,?,?,00000000,?), ref: 0035BA78
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00359207,?,?,00000000,?), ref: 0035BA85
                                              • GlobalLock.KERNEL32(00000000), ref: 0035BA8E
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00359207,?,?,00000000,?), ref: 0035BA9D
                                              • GlobalUnlock.KERNEL32(00000000), ref: 0035BAA6
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00359207,?,?,00000000,?), ref: 0035BAAD
                                              • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0035BABE
                                              • OleLoadPicture.OLEAUT32(?,00000000,00000000,00362CAC,?), ref: 0035BAD7
                                              • GlobalFree.KERNEL32(00000000), ref: 0035BAE7
                                              • GetObjectW.GDI32(00000000,00000018,?), ref: 0035BB0B
                                              • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0035BB36
                                              • DeleteObject.GDI32(00000000), ref: 0035BB5E
                                              • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0035BB74
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                              • String ID:
                                              • API String ID: 3840717409-0
                                              • Opcode ID: 3e04d271a7147d4ee3157d01224c0a31c9a142b1967cb0b088fd3434e180715d
                                              • Instruction ID: e73fe5e225f7bcb4d23e4c1158a7a7b204be6a667dd4d3afaf6fb4fa03f47a78
                                              • Opcode Fuzzy Hash: 3e04d271a7147d4ee3157d01224c0a31c9a142b1967cb0b088fd3434e180715d
                                              • Instruction Fuzzy Hash: 00410475600208EFDB129F65DC88EABBBBDEF89712F114068F909D72B0D7709A05CB60
                                              Function 002D6A8C Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 478COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002F0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,002D6B0C,?,00008000), ref: 002F0973
                                                • Part of subcall function 002D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D4743,?,?,002D37AE,?), ref: 002D4770
                                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 002D6BAD
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 002D6CFA
                                                • Part of subcall function 002D586D: _wcscpy.LIBCMT ref: 002D58A5
                                                • Part of subcall function 002F363D: _iswctype.LIBCMT ref: 002F3645
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                              • String ID: #include depth exceeded. Make sure there are no recursive includes$/v-$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                              • API String ID: 537147316-951851648
                                              • Opcode ID: 6ccfd91f20152a719459fb96092a8af9fb25fedcfd6549cf7aa7a418e64f710e
                                              • Instruction ID: af4a504d0a2fc9dd3600c2eb9247557cd809c466a89e4fbd66eebe74b2bb69fb
                                              • Opcode Fuzzy Hash: 6ccfd91f20152a719459fb96092a8af9fb25fedcfd6549cf7aa7a418e64f710e
                                              • Instruction Fuzzy Hash: 5B02AA302183419FC725EF24C891AAFBBE5AF99314F10482EF496972A2DB70DD59CF52
                                              Function 0033D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                              Download Yara Rule
                                              APIs
                                              • __wsplitpath.LIBCMT ref: 0033DA10
                                              • _wcscat.LIBCMT ref: 0033DA28
                                              • _wcscat.LIBCMT ref: 0033DA3A
                                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0033DA4F
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0033DA63
                                              • GetFileAttributesW.KERNEL32(?), ref: 0033DA7B
                                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 0033DA95
                                              • SetCurrentDirectoryW.KERNEL32(?), ref: 0033DAA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                              • String ID: *.*
                                              • API String ID: 34673085-438819550
                                              • Opcode ID: 99d65d175a0d28c5c193b148350f66ba2e696daf7d9e395fce1ceda81c0d43d1
                                              • Instruction ID: d2fc62a67b3d472cf3268bccb24651458acf99fbbacb05bd7ac7edf2671fd44f
                                              • Opcode Fuzzy Hash: 99d65d175a0d28c5c193b148350f66ba2e696daf7d9e395fce1ceda81c0d43d1
                                              • Instruction Fuzzy Hash: AD81B3725043459FCB25EF64D884AAEB7E8BF89710F19482EF889CB251E730ED44CB52
                                              Function 0034731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 0034738F
                                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0034739B
                                              • CreateCompatibleDC.GDI32(?), ref: 003473A7
                                              • SelectObject.GDI32(00000000,?), ref: 003473B4
                                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00347408
                                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00347444
                                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00347468
                                              • SelectObject.GDI32(00000006,?), ref: 00347470
                                              • DeleteObject.GDI32(?), ref: 00347479
                                              • DeleteDC.GDI32(00000006), ref: 00347480
                                              • ReleaseDC.USER32(00000000,?), ref: 0034748B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                              • String ID: (
                                              • API String ID: 2598888154-3887548279
                                              • Opcode ID: 48572033f9c778be0d60fe948bfaad85a1e7100ea33d7aad23c954f124337bde
                                              • Instruction ID: 3685fcebb048bb6a81276b6d03935305a27f2b7e65c6aa80482c04958a2ec311
                                              • Opcode Fuzzy Hash: 48572033f9c778be0d60fe948bfaad85a1e7100ea33d7aad23c954f124337bde
                                              • Instruction Fuzzy Hash: FF513875904309EFCB16CFA9CC85EAEBBF9EF48310F148429F9599B261C731A9408B90
                                              Function 00332D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00332D50
                                              • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00332DDD
                                              • GetMenuItemCount.USER32(00395890), ref: 00332E66
                                              • DeleteMenu.USER32(00395890,00000005,00000000,000000F5,?,?), ref: 00332EF6
                                              • DeleteMenu.USER32(00395890,00000004,00000000), ref: 00332EFE
                                              • DeleteMenu.USER32(00395890,00000006,00000000), ref: 00332F06
                                              • DeleteMenu.USER32(00395890,00000003,00000000), ref: 00332F0E
                                              • GetMenuItemCount.USER32(00395890), ref: 00332F16
                                              • SetMenuItemInfoW.USER32(00395890,00000004,00000000,00000030), ref: 00332F4C
                                              • GetCursorPos.USER32(?), ref: 00332F56
                                              • SetForegroundWindow.USER32(00000000), ref: 00332F5F
                                              • TrackPopupMenuEx.USER32(00395890,00000000,?,00000000,00000000,00000000), ref: 00332F72
                                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00332F7E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                              • String ID:
                                              • API String ID: 3993528054-0
                                              • Opcode ID: e6a18b76e25db69528a0c0613b14bf27de3d490d92ce88de4949e32d627746d5
                                              • Instruction ID: 38fd5f44db4a99edbc03694a6e64cb1764485a79f84ca4bc57bfdc87c65341a7
                                              • Opcode Fuzzy Hash: e6a18b76e25db69528a0c0613b14bf27de3d490d92ce88de4949e32d627746d5
                                              • Instruction Fuzzy Hash: A271A170600205BEEB239F54DCC6FABBF68FF05764F144226F625AA1E1C7B16864DB90
                                              Function 003277DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D7BCC: _memmove.LIBCMT ref: 002D7C06
                                              • _memset.LIBCMT ref: 0032786B
                                              • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003278A0
                                              • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003278BC
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003278D8
                                              • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00327902
                                              • CLSIDFromString.COMBASE(?,?), ref: 0032792A
                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00327935
                                              • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0032793A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                              • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                              • API String ID: 1411258926-22481851
                                              • Opcode ID: 0a9ed1038474805051bd3bf45b2749e177c84575f31d6c3a1b43aad207485441
                                              • Instruction ID: fc5a6f6f6dddcf1b5782416254514af3735f1a6026e9c73d3b29f04bc2eb85a3
                                              • Opcode Fuzzy Hash: 0a9ed1038474805051bd3bf45b2749e177c84575f31d6c3a1b43aad207485441
                                              • Instruction Fuzzy Hash: A241F872824229AACB12EBA4DC95DEEB778FF04350F05406AF905A32A1EB349D14CF90
                                              Function 00350E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0034FDAD,?,?), ref: 00350E31
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                              • API String ID: 3964851224-909552448
                                              • Opcode ID: 52eba281387f894906278bb318fa0e356e1e3a13381bb6702221e425661d8f90
                                              • Instruction ID: 2433fa924cbb73ac84f86f17b456178d5c95a8cad2f809272df8adf909b23e98
                                              • Opcode Fuzzy Hash: 52eba281387f894906278bb318fa0e356e1e3a13381bb6702221e425661d8f90
                                              • Instruction Fuzzy Hash: C7418E3512034A8BCF16EF11D9A2AFF3764BF11341F150466FD951B2A2DB369D2ACBA0
                                              Function 0032F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0030E2A0,00000010,?,Bad directive syntax error,0035F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0032F7C2
                                              • LoadStringW.USER32(00000000,?,0030E2A0,00000010), ref: 0032F7C9
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                              • _wprintf.LIBCMT ref: 0032F7FC
                                              • __swprintf.LIBCMT ref: 0032F81E
                                              • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0032F88D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                              • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                              • API String ID: 1506413516-4153970271
                                              • Opcode ID: 5589b666b773a2aeefd6f5f0bc629db62dc840ec8b0c0c4526c00c790653d7a8
                                              • Instruction ID: eb651872cbdb56f874375f00242d7c08ba77e8ce9c3bb3536e44784882126df0
                                              • Opcode Fuzzy Hash: 5589b666b773a2aeefd6f5f0bc629db62dc840ec8b0c0c4526c00c790653d7a8
                                              • Instruction Fuzzy Hash: C7214D3295421EAFCF12EF90CC5AEEEB739BF18301F040466F515661A2EB719A28DF50
                                              Function 003352C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D7BCC: _memmove.LIBCMT ref: 002D7C06
                                                • Part of subcall function 002D7924: _memmove.LIBCMT ref: 002D79AD
                                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00335330
                                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00335346
                                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00335357
                                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00335369
                                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0033537A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: SendString$_memmove
                                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                              • API String ID: 2279737902-1007645807
                                              • Opcode ID: c4fd3435d002d4be24a20f8b64946d5cb36bf715cfaf9b47ccaf5e933927481c
                                              • Instruction ID: 4848626998e6cac7360fffb1ddcdcf5a2093b55217e5b3dc11a9d036bd238a35
                                              • Opcode Fuzzy Hash: c4fd3435d002d4be24a20f8b64946d5cb36bf715cfaf9b47ccaf5e933927481c
                                              • Instruction Fuzzy Hash: 9D11C431AA022979D721B771CC4ADFF7B7CEF91B50F80046AB401A21D1FEA00D04CEA0
                                              Function 003346B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                              • String ID: 0.0.0.0
                                              • API String ID: 208665112-3771769585
                                              • Opcode ID: e7dd70e2a4a5837b046c8f9a575fc0269f8efb6503c0964e85fd05bbbb256c61
                                              • Instruction ID: 5fdb09b3f9367882d31a2fbc9b00974da18b96ac268af9af1775035079866a7d
                                              • Opcode Fuzzy Hash: e7dd70e2a4a5837b046c8f9a575fc0269f8efb6503c0964e85fd05bbbb256c61
                                              • Instruction Fuzzy Hash: 9011E731500218AFCB16BB309C86EEA77BCEF06752F0401B6F555960A1FF7199858B50
                                              Function 00334F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • timeGetTime.WINMM ref: 00334F7A
                                                • Part of subcall function 002F049F: timeGetTime.WINMM(?,7694B400,002E0E7B), ref: 002F04A3
                                              • Sleep.KERNEL32(0000000A), ref: 00334FA6
                                              • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00334FCA
                                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00334FEC
                                              • SetActiveWindow.USER32 ref: 0033500B
                                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00335019
                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 00335038
                                              • Sleep.KERNEL32(000000FA), ref: 00335043
                                              • IsWindow.USER32 ref: 0033504F
                                              • EndDialog.USER32(00000000), ref: 00335060
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                              • String ID: BUTTON
                                              • API String ID: 1194449130-3405671355
                                              • Opcode ID: 6829eb207857aa9206bf8bdcb01ecb793f020b49b212347107886f16c743fcd5
                                              • Instruction ID: 4049215cfb09d594e52fddaf7088a3290b4cf0b373b7a993bbc78b9121bff3ab
                                              • Opcode Fuzzy Hash: 6829eb207857aa9206bf8bdcb01ecb793f020b49b212347107886f16c743fcd5
                                              • Instruction Fuzzy Hash: 6C219070206705AFE7135F20ECCAA2B3B6DEB4B746F0A1425F501821B1DB739D508B61
                                              Function 0033D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D9837: __itow.LIBCMT ref: 002D9862
                                                • Part of subcall function 002D9837: __swprintf.LIBCMT ref: 002D98AC
                                              • CoInitialize.OLE32(00000000), ref: 0033D5EA
                                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0033D67D
                                              • SHGetDesktopFolder.SHELL32(?), ref: 0033D691
                                              • CoCreateInstance.COMBASE(00362D7C,00000000,00000001,00388C1C,?), ref: 0033D6DD
                                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0033D74C
                                              • CoTaskMemFree.COMBASE(?), ref: 0033D7A4
                                              • _memset.LIBCMT ref: 0033D7E1
                                              • SHBrowseForFolderW.SHELL32(?), ref: 0033D81D
                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0033D840
                                              • CoTaskMemFree.COMBASE(00000000), ref: 0033D847
                                              • CoTaskMemFree.COMBASE(00000000), ref: 0033D87E
                                              • CoUninitialize.COMBASE ref: 0033D880
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                              • String ID:
                                              • API String ID: 1246142700-0
                                              • Opcode ID: c2e2060657d6a705a93e4b080962fc7922c8d146e1f62f3cff476513d9b1b301
                                              • Instruction ID: 1b6955ef66e7b92adaf6406594d9c6b7a5c8e866c4d17afd97d213410c9d29a3
                                              • Opcode Fuzzy Hash: c2e2060657d6a705a93e4b080962fc7922c8d146e1f62f3cff476513d9b1b301
                                              • Instruction Fuzzy Hash: DCB1FA75A00209AFDB05DFA4D889DAEBBB9FF48304F148469F909DB261DB30ED41CB50
                                              Function 0032C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,00000001), ref: 0032C283
                                              • GetWindowRect.USER32(00000000,?), ref: 0032C295
                                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0032C2F3
                                              • GetDlgItem.USER32(?,00000002), ref: 0032C2FE
                                              • GetWindowRect.USER32(00000000,?), ref: 0032C310
                                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0032C364
                                              • GetDlgItem.USER32(?,000003E9), ref: 0032C372
                                              • GetWindowRect.USER32(00000000,?), ref: 0032C383
                                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0032C3C6
                                              • GetDlgItem.USER32(?,000003EA), ref: 0032C3D4
                                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0032C3F1
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0032C3FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$ItemMoveRect$Invalidate
                                              • String ID:
                                              • API String ID: 3096461208-0
                                              • Opcode ID: a35ecb53e9228dea44bcba67f426b4092ddf4ca6c9f9ecd130b89badf65cfa13
                                              • Instruction ID: d71cd2703159b6df6e0e19bebadf8ca71650a5ad9338c5719962ab68038a4e1b
                                              • Opcode Fuzzy Hash: a35ecb53e9228dea44bcba67f426b4092ddf4ca6c9f9ecd130b89badf65cfa13
                                              • Instruction Fuzzy Hash: AA514071B10305AFDF19CFA9DD89AAEBBBAEB88711F14852DF615D72A0D7709D008B10
                                              Function 002D21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D25DB: GetWindowLongW.USER32(?,000000EB), ref: 002D25EC
                                              • GetSysColor.USER32(0000000F), ref: 002D21D3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ColorLongWindow
                                              • String ID:
                                              • API String ID: 259745315-0
                                              • Opcode ID: 6d44a5d0aea8bf442f8a1afdfe9b316bf70be87a4ee4f4b3a8b23f53b6236cdc
                                              • Instruction ID: a4ddd8062f975b41a3632207bd3fb228b60ad7dbeae53fafdc073f8556089c09
                                              • Opcode Fuzzy Hash: 6d44a5d0aea8bf442f8a1afdfe9b316bf70be87a4ee4f4b3a8b23f53b6236cdc
                                              • Instruction Fuzzy Hash: 5A41C131014640DFDB225F28EC9CBB93B69EB16331F148266FE658A2F1C7318D56DB21
                                              Function 0033A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?,0035F910), ref: 0033A90B
                                              • GetDriveTypeW.KERNEL32(00000061,003889A0,00000061), ref: 0033A9D5
                                              • _wcscpy.LIBCMT ref: 0033A9FF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: BuffCharDriveLowerType_wcscpy
                                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                              • API String ID: 2820617543-1000479233
                                              • Opcode ID: a49390f13252ba9e4343ebb5d28bc50d70e41b9f9a1d8ad9bfe0b2d8866d4400
                                              • Instruction ID: 65e9a88e4de110b635e05fa226252794c0040169b814ed2b24dc4cd26bafb645
                                              • Opcode Fuzzy Hash: a49390f13252ba9e4343ebb5d28bc50d70e41b9f9a1d8ad9bfe0b2d8866d4400
                                              • Instruction Fuzzy Hash: C4519A311287059BC302EF14C9D2AAEB7A9EF84340F51482EF5D6A72A2DB319D19CB53
                                              Function 002D9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __i64tow__itow__swprintf
                                              • String ID: %.15g$0x%p$False$True
                                              • API String ID: 421087845-2263619337
                                              • Opcode ID: 47ed8620e1abbb7c863b427170b3f09c00cd0bd1792048029541fa15a52fd704
                                              • Instruction ID: 338f616562446d1455dada6f036150aef4fa1ffec9aa7dcd86b50d63d10860a3
                                              • Opcode Fuzzy Hash: 47ed8620e1abbb7c863b427170b3f09c00cd0bd1792048029541fa15a52fd704
                                              • Instruction Fuzzy Hash: F541E371521209AFEB25DF34DC52A7AB3E8EF06700F2044BEF549D7382EA719D519B10
                                              Function 00357152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0035716A
                                              • CreateMenu.USER32 ref: 00357185
                                              • SetMenu.USER32(?,00000000), ref: 00357194
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00357221
                                              • IsMenu.USER32(?), ref: 00357237
                                              • CreatePopupMenu.USER32 ref: 00357241
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0035726E
                                              • DrawMenuBar.USER32 ref: 00357276
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                              • String ID: 0$F
                                              • API String ID: 176399719-3044882817
                                              • Opcode ID: 6447c1be59d1b305e48d7563a0b78ff1ed61d23ef5ffa4c5c4b0827cef180d1e
                                              • Instruction ID: 9c93db73b341d033ba3d3ab617405e6bcaa86c17fac1332d14950c4c24485f6d
                                              • Opcode Fuzzy Hash: 6447c1be59d1b305e48d7563a0b78ff1ed61d23ef5ffa4c5c4b0827cef180d1e
                                              • Instruction Fuzzy Hash: C9414474A01309EFDB22DFA4E884E9ABBB9FF09352F154429FD05A7360D731A914CB90
                                              Function 003574BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0035755E
                                              • CreateCompatibleDC.GDI32(00000000), ref: 00357565
                                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00357578
                                              • SelectObject.GDI32(00000000,00000000), ref: 00357580
                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0035758B
                                              • DeleteDC.GDI32(00000000), ref: 00357594
                                              • GetWindowLongW.USER32(?,000000EC), ref: 0035759E
                                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003575B2
                                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003575BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                              • String ID: static
                                              • API String ID: 2559357485-2160076837
                                              • Opcode ID: f57151bbaf39f3b1ea3d09c129c487b3390e7326ef647757f5379e2c2d5dd3fc
                                              • Instruction ID: a7bd7471d247e3ab932012f2c525a10887ab88e1e113988bcbeb8b4428e89ef2
                                              • Opcode Fuzzy Hash: f57151bbaf39f3b1ea3d09c129c487b3390e7326ef647757f5379e2c2d5dd3fc
                                              • Instruction Fuzzy Hash: DD314772104215AFDB139F64EC08FEA3BADEF0A362F110625FA15A61B0D731D825DBA4
                                              Function 002F6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 002F6E3E
                                                • Part of subcall function 002F8B28: __getptd_noexit.LIBCMT ref: 002F8B28
                                              • __gmtime64_s.LIBCMT ref: 002F6ED7
                                              • __gmtime64_s.LIBCMT ref: 002F6F0D
                                              • __gmtime64_s.LIBCMT ref: 002F6F2A
                                              • __allrem.LIBCMT ref: 002F6F80
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F6F9C
                                              • __allrem.LIBCMT ref: 002F6FB3
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F6FD1
                                              • __allrem.LIBCMT ref: 002F6FE8
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F7006
                                              • __invoke_watson.LIBCMT ref: 002F7077
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                              • String ID:
                                              • API String ID: 384356119-0
                                              • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                              • Instruction ID: 6f18499344a8aea8ad15077cd7a7c524103e2124965b1f49a3c4e8eda256fd63
                                              • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                              • Instruction Fuzzy Hash: 5071FA76A1071BABD7149E68DC41B7AF3A8EF047A4F144239F614DB6C1EB70DE208B90
                                              Function 00332527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00332542
                                              • GetMenuItemInfoW.USER32(00395890,000000FF,00000000,00000030), ref: 003325A3
                                              • SetMenuItemInfoW.USER32(00395890,00000004,00000000,00000030), ref: 003325D9
                                              • Sleep.KERNEL32(000001F4), ref: 003325EB
                                              • GetMenuItemCount.USER32(?), ref: 0033262F
                                              • GetMenuItemID.USER32(?,00000000), ref: 0033264B
                                              • GetMenuItemID.USER32(?,-00000001), ref: 00332675
                                              • GetMenuItemID.USER32(?,?), ref: 003326BA
                                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00332700
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00332714
                                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00332735
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                              • String ID:
                                              • API String ID: 4176008265-0
                                              • Opcode ID: 0ff8ffd8dfc155f0737efafdbb475a332b175e11503ae78be175320eb322df39
                                              • Instruction ID: 2f4655b5d5906fea2c2ff373e4e5fbd04956da36b27ba2d990bf2150c1db0c7b
                                              • Opcode Fuzzy Hash: 0ff8ffd8dfc155f0737efafdbb475a332b175e11503ae78be175320eb322df39
                                              • Instruction Fuzzy Hash: 1B618BB0900249AFDB13CF64D8C9DAFBBB8FF42305F150569E842A7261D771AE45DB20
                                              Function 00356F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00356FA5
                                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00356FA8
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00356FCC
                                              • _memset.LIBCMT ref: 00356FDD
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00356FEF
                                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00357067
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$LongWindow_memset
                                              • String ID:
                                              • API String ID: 830647256-0
                                              • Opcode ID: 03e532695c437d36a4a94c764f4ca709a99385d5d2ff903a1ad46adeb4f2272a
                                              • Instruction ID: f97d8dbe71c18beb3ab60d57b2ec35e26f2e9f32628408126fadc5e61ade563e
                                              • Opcode Fuzzy Hash: 03e532695c437d36a4a94c764f4ca709a99385d5d2ff903a1ad46adeb4f2272a
                                              • Instruction Fuzzy Hash: 4C616C75A04208AFDB12DFA4DC81EEE77F8EB09710F10415AFA15EB2A1C771AE45DB90
                                              Function 00326B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00326BBF
                                              • SafeArrayAllocData.OLEAUT32(?), ref: 00326C18
                                              • VariantInit.OLEAUT32(?), ref: 00326C2A
                                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 00326C4A
                                              • VariantCopy.OLEAUT32(?,?), ref: 00326C9D
                                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 00326CB1
                                              • VariantClear.OLEAUT32(?), ref: 00326CC6
                                              • SafeArrayDestroyData.OLEAUT32(?), ref: 00326CD3
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00326CDC
                                              • VariantClear.OLEAUT32(?), ref: 00326CEE
                                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00326CF9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                              • String ID:
                                              • API String ID: 2706829360-0
                                              • Opcode ID: f10df3a6b6e8d60bc79194d82fc86e840be55d2a55374f2d9458b9f4eacc8b6d
                                              • Instruction ID: f10fadf7aaf0403b8361f1b0813510c3dd4f53c9ecc5c64788e3865e08efbe92
                                              • Opcode Fuzzy Hash: f10df3a6b6e8d60bc79194d82fc86e840be55d2a55374f2d9458b9f4eacc8b6d
                                              • Instruction Fuzzy Hash: 9C414175A002299FCF01EFA9D8499AEBBBDEF08355F018069F955E7261CB30E945CF90
                                              Function 00345732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSAStartup.WS2_32(00000101,?), ref: 00345793
                                              • inet_addr.WS2_32(?), ref: 003457D8
                                              • gethostbyname.WS2_32(?), ref: 003457E4
                                              • IcmpCreateFile.IPHLPAPI ref: 003457F2
                                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00345862
                                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00345878
                                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003458ED
                                              • WSACleanup.WS2_32 ref: 003458F3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                              • String ID: Ping
                                              • API String ID: 1028309954-2246546115
                                              • Opcode ID: 44eba612a69528511cd2735f4d8c9f969fcdda700ef1b73ddde882bdcc7e43c3
                                              • Instruction ID: dd6316a7809aa88525e50cb3e37ac61988de31c43de56b50370045a727557a3e
                                              • Opcode Fuzzy Hash: 44eba612a69528511cd2735f4d8c9f969fcdda700ef1b73ddde882bdcc7e43c3
                                              • Instruction Fuzzy Hash: FB513C31A047009FD712AF25DC45B2ABBE8EF48720F15456AF996DB2A2DB70ED40DF42
                                              Function 0033B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0033B4D0
                                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0033B546
                                              • GetLastError.KERNEL32 ref: 0033B550
                                              • SetErrorMode.KERNEL32(00000000,READY), ref: 0033B5BD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Error$Mode$DiskFreeLastSpace
                                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                              • API String ID: 4194297153-14809454
                                              • Opcode ID: 243e2874d36f16c775068ab500ae5e4b5ee3f2c49dc884dbc699f8a790d7612e
                                              • Instruction ID: 7a639dc8f7fc22d5d7f606f746b10098969c250826c1d9a80a95f3713a6a447b
                                              • Opcode Fuzzy Hash: 243e2874d36f16c775068ab500ae5e4b5ee3f2c49dc884dbc699f8a790d7612e
                                              • Instruction Fuzzy Hash: 4D318335A00209EFDB02EB68C885AADB7B8FF46311F504166F606DB291DB719E41CB51
                                              Function 00328F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                                • Part of subcall function 0032AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0032AABC
                                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00329014
                                              • GetDlgCtrlID.USER32 ref: 0032901F
                                              • GetParent.USER32 ref: 0032903B
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 0032903E
                                              • GetDlgCtrlID.USER32(?), ref: 00329047
                                              • GetParent.USER32(?), ref: 00329063
                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 00329066
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 1536045017-1403004172
                                              • Opcode ID: 3bdc885adeea7318e368e886a6f7df0fd179fcae8189ca0262ae664999db0284
                                              • Instruction ID: 9ecb3cc81d612cb989b40cfd28f3c3d3a0d394608c40d97ed8d3ea6a65179417
                                              • Opcode Fuzzy Hash: 3bdc885adeea7318e368e886a6f7df0fd179fcae8189ca0262ae664999db0284
                                              • Instruction Fuzzy Hash: 4221F570A00218BFDF06ABA4DC85EFEBBB9EF49310F104156F961972B1DB759815DB20
                                              Function 0032907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                                • Part of subcall function 0032AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0032AABC
                                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003290FD
                                              • GetDlgCtrlID.USER32 ref: 00329108
                                              • GetParent.USER32 ref: 00329124
                                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 00329127
                                              • GetDlgCtrlID.USER32(?), ref: 00329130
                                              • GetParent.USER32(?), ref: 0032914C
                                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 0032914F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 1536045017-1403004172
                                              • Opcode ID: 1ff743410f09bb7481dd65ff3308cceb15f78ebfc17d0b465baf88f640eb8f20
                                              • Instruction ID: cbe1c3e8c84ff41b277dc59b657be14d51006e6bce96af1a6aa0466773970866
                                              • Opcode Fuzzy Hash: 1ff743410f09bb7481dd65ff3308cceb15f78ebfc17d0b465baf88f640eb8f20
                                              • Instruction Fuzzy Hash: B921B374A00219BFDF02ABA5DC85EFEBBB9EF44300F104056F951972A1DB759825DB20
                                              Function 00329163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32 ref: 0032916F
                                              • GetClassNameW.USER32(00000000,?,00000100), ref: 00329184
                                              • _wcscmp.LIBCMT ref: 00329196
                                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00329211
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameParentSend_wcscmp
                                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                              • API String ID: 1704125052-3381328864
                                              • Opcode ID: df099e98346ddf8cc7aa7710d87431629d55a80cf175516b0dadb587d8756ff5
                                              • Instruction ID: 899613e29e54b3958423f5b4ae5aae4484a5c1244de0f4a7240e119119a3669c
                                              • Opcode Fuzzy Hash: df099e98346ddf8cc7aa7710d87431629d55a80cf175516b0dadb587d8756ff5
                                              • Instruction Fuzzy Hash: CB11363624831BFAFA133624FC0AEF7779C9B15760F300467FA10A04E2FF61A8215A90
                                              Function 003488AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 003488D7
                                              • CoInitialize.OLE32(00000000), ref: 00348904
                                              • CoUninitialize.COMBASE ref: 0034890E
                                              • GetRunningObjectTable.OLE32(00000000,?), ref: 00348A0E
                                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 00348B3B
                                              • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00362C0C), ref: 00348B6F
                                              • CoGetObject.OLE32(?,00000000,00362C0C,?), ref: 00348B92
                                              • SetErrorMode.KERNEL32(00000000), ref: 00348BA5
                                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00348C25
                                              • VariantClear.OLEAUT32(?), ref: 00348C35
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                              • String ID:
                                              • API String ID: 2395222682-0
                                              • Opcode ID: ba03095098ddf3e603029479157c00a1706bb308c02106aa32e3d0d37b15e63b
                                              • Instruction ID: 8c2f76f90edbb54da784a218aed48a2e57d2fc16bced2d790e2789fcd0f97bf4
                                              • Opcode Fuzzy Hash: ba03095098ddf3e603029479157c00a1706bb308c02106aa32e3d0d37b15e63b
                                              • Instruction Fuzzy Hash: 1AC124B1608305AFC701EF68C88492BB7E9FF89748F00491DF98A9B261DB71ED05CB52
                                              Function 00337990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                              Download Yara Rule
                                              APIs
                                              • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00337A6C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ArraySafeVartype
                                              • String ID:
                                              • API String ID: 1725837607-0
                                              • Opcode ID: 01721f87b2a4cbf19d67ed016dfe7ddc3023dbd90c71f680b6621f5b17430565
                                              • Instruction ID: a5be098cc736f2359c319eac534af89edfc609e3f598e3ebbd4713231eed6020
                                              • Opcode Fuzzy Hash: 01721f87b2a4cbf19d67ed016dfe7ddc3023dbd90c71f680b6621f5b17430565
                                              • Instruction Fuzzy Hash: 4FB16DB190421A9FDB22DFA4C8C5BBEB7B8FF09321F254429E641EB251D734E941CB90
                                              Function 002DFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 002DFAA6
                                              • OleUninitialize.OLE32(?,00000000), ref: 002DFB45
                                              • UnregisterHotKey.USER32(?), ref: 002DFC9C
                                              • DestroyWindow.USER32(?), ref: 003145D6
                                              • FreeLibrary.KERNEL32(?), ref: 0031463B
                                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00314668
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                              • String ID: close all
                                              • API String ID: 469580280-3243417748
                                              • Opcode ID: bce41808be9d446eb315b77f7ba6a2e58d753a41a0c5704b6e3b5c5ebe0b5410
                                              • Instruction ID: e7adf6dcfed8de65f6295493e554994ae261d4090e06b4e4934ce250bb932735
                                              • Opcode Fuzzy Hash: bce41808be9d446eb315b77f7ba6a2e58d753a41a0c5704b6e3b5c5ebe0b5410
                                              • Instruction Fuzzy Hash: E1A1A330721212CFCB5AEF14C595AA9F364BF19704F5542AEE80AAB361DB30ED62CF54
                                              Function 0032A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                              Download Yara Rule
                                              APIs
                                              • EnumChildWindows.USER32(?,0032A439), ref: 0032A377
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ChildEnumWindows
                                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                              • API String ID: 3555792229-1603158881
                                              • Opcode ID: 8d953adac63e5081170c41d66ce038b4d3cbca8688e8b8e9241ebddef3625b21
                                              • Instruction ID: b517809f4c03fef50c581b23ca4b296f9a05797b9a082e4b78e62b9789185d62
                                              • Opcode Fuzzy Hash: 8d953adac63e5081170c41d66ce038b4d3cbca8688e8b8e9241ebddef3625b21
                                              • Instruction Fuzzy Hash: EA91F730600A15EBCB0AEFA0D481BEDFB79BF04340F518529DA59A7251DF31A9A9CFD1
                                              Function 002D2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowLongW.USER32(?,000000EB), ref: 002D2EAE
                                                • Part of subcall function 002D1DB3: GetClientRect.USER32(?,?), ref: 002D1DDC
                                                • Part of subcall function 002D1DB3: GetWindowRect.USER32(?,?), ref: 002D1E1D
                                                • Part of subcall function 002D1DB3: ScreenToClient.USER32(?,?), ref: 002D1E45
                                              • GetDC.USER32 ref: 0030CD32
                                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0030CD45
                                              • SelectObject.GDI32(00000000,00000000), ref: 0030CD53
                                              • SelectObject.GDI32(00000000,00000000), ref: 0030CD68
                                              • ReleaseDC.USER32(?,00000000), ref: 0030CD70
                                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0030CDFB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                              • String ID: U
                                              • API String ID: 4009187628-3372436214
                                              • Opcode ID: 8341714331fbba2e932735cb314bfaa785cfd3f6870314c610e6a94f1b6ba158
                                              • Instruction ID: 94a6b76416c69e056b5c4638fba3a56c37088c3ca88c0610e035099acbdccd14
                                              • Opcode Fuzzy Hash: 8341714331fbba2e932735cb314bfaa785cfd3f6870314c610e6a94f1b6ba158
                                              • Instruction Fuzzy Hash: D771FF30411205EFCF23CF64C8A0AAA7BB9FF48321F14536AED555A2A6C7319C91DB60
                                              Function 00341A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00341A50
                                              • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00341A7C
                                              • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00341ABE
                                              • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00341AD3
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00341AE0
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00341B10
                                              • InternetCloseHandle.WININET(00000000), ref: 00341B57
                                                • Part of subcall function 00342483: GetLastError.KERNEL32(?,?,00341817,00000000,00000000,00000001), ref: 00342498
                                                • Part of subcall function 00342483: SetEvent.KERNEL32(?,?,00341817,00000000,00000000,00000001), ref: 003424AD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                              • String ID:
                                              • API String ID: 2603140658-3916222277
                                              • Opcode ID: 303c0130cb75c2bc36275647714ba3f64de589bdde96e1c2a2ec13d9be8f3b76
                                              • Instruction ID: c26012cd29c94d74d13a374edef6a499eca56f43247837211024dbedb75ab28e
                                              • Opcode Fuzzy Hash: 303c0130cb75c2bc36275647714ba3f64de589bdde96e1c2a2ec13d9be8f3b76
                                              • Instruction Fuzzy Hash: 3A4150B1501619BFEB139F50CC85FBB7BACEF08355F004126F9059E151E774AE849BA4
                                              Function 00348C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0035F910), ref: 00348D28
                                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0035F910), ref: 00348D5C
                                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00348ED6
                                              • SysFreeString.OLEAUT32(?), ref: 00348F00
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                              • String ID:
                                              • API String ID: 560350794-0
                                              • Opcode ID: 0070a22bcc6b234b773ebde7c0ce6836dcdeced9dd7b58d99f0c8d9977e0b867
                                              • Instruction ID: 00af9b29786d7cd726b1cc0a3859f865341686dab57f12cc3549604ac1c7a852
                                              • Opcode Fuzzy Hash: 0070a22bcc6b234b773ebde7c0ce6836dcdeced9dd7b58d99f0c8d9977e0b867
                                              • Instruction Fuzzy Hash: 6CF12771A00209AFCF15DF94C884EAEB7B9FF49315F118499F906AF251DB31AE86CB50
                                              Function 0034F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0034F6B5
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0034F848
                                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0034F86C
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0034F8AC
                                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0034F8CE
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0034FA4A
                                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0034FA7C
                                              • CloseHandle.KERNEL32(?), ref: 0034FAAB
                                              • CloseHandle.KERNEL32(?), ref: 0034FB22
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                              • String ID:
                                              • API String ID: 4090791747-0
                                              • Opcode ID: 754a9805986a14556dd8ef3eb2ab9ef1be4ab940496d53ed243390c6ef080f05
                                              • Instruction ID: c3b72eb740163ed56d10714a0e87e128e2666a90df91321b1b5ae231c7eec9fb
                                              • Opcode Fuzzy Hash: 754a9805986a14556dd8ef3eb2ab9ef1be4ab940496d53ed243390c6ef080f05
                                              • Instruction Fuzzy Hash: 6EE18C316042409FC716EF24C881B6ABBE5AF85354F19856EF8999F2A2CB31EC45CF52
                                              Function 002D201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,002D2036,?,00000000,?,?,?,?,002D16CB,00000000,?), ref: 002D1B9A
                                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002D20D3
                                              • KillTimer.USER32(-00000001,?,?,?,?,002D16CB,00000000,?,?,002D1AE2,?,?), ref: 002D216E
                                              • DestroyAcceleratorTable.USER32(00000000), ref: 0030BCA6
                                              • DeleteObject.GDI32(00000000), ref: 0030BD1C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                              • String ID:
                                              • API String ID: 2402799130-0
                                              • Opcode ID: c70e260ff0fac6900de56c77d1f088eaf14af509e23b95f579a0539189117216
                                              • Instruction ID: 2081f756b8aecc2ecac0329edda9afdd4c61ac6817081d4169d398edf1755d21
                                              • Opcode Fuzzy Hash: c70e260ff0fac6900de56c77d1f088eaf14af509e23b95f579a0539189117216
                                              • Instruction Fuzzy Hash: 9D618B31225B01DFDB27AF14D958B2AB7F5FB60312F10842AE4429BAB0C771ACA4DF50
                                              Function 00334CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0033466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00333697,?), ref: 0033468B
                                                • Part of subcall function 0033466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00333697,?), ref: 003346A4
                                                • Part of subcall function 00334A31: GetFileAttributesW.KERNEL32(?,0033370B), ref: 00334A32
                                              • lstrcmpiW.KERNEL32(?,?), ref: 00334D40
                                              • _wcscmp.LIBCMT ref: 00334D5A
                                              • MoveFileW.KERNEL32(?,?), ref: 00334D75
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                              • String ID:
                                              • API String ID: 793581249-0
                                              • Opcode ID: 4e175b4a978c2e8c1856ae4f282a1f0145c8217f002aad5b3522a323a5dd0076
                                              • Instruction ID: 7e7caf4142e892d7323a3215139c14d4a7297c3be57ecf44e0675bcd9651006d
                                              • Opcode Fuzzy Hash: 4e175b4a978c2e8c1856ae4f282a1f0145c8217f002aad5b3522a323a5dd0076
                                              • Instruction Fuzzy Hash: 255142B20083459BC725DBA4D8919DFB3ECAF85351F10092EF689D3152EF74B588CB66
                                              Function 00358645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003586FF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: InvalidateRect
                                              • String ID:
                                              • API String ID: 634782764-0
                                              • Opcode ID: bbee321a38c9075bdbc367fb85f7949efa64ef6bbbe05d6590e52a6e9f9a6f4f
                                              • Instruction ID: 03a255c7b318eaea37c93bf7a4729be9eefc4944a49c1f7f0636e7d87553c93e
                                              • Opcode Fuzzy Hash: bbee321a38c9075bdbc367fb85f7949efa64ef6bbbe05d6590e52a6e9f9a6f4f
                                              • Instruction Fuzzy Hash: 9D51B430600244BEEB229F25CC89FAD7B68EB05356F604116FE55F61B0CF71A998CB81
                                              Function 002D2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0030C2F7
                                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0030C319
                                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0030C331
                                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0030C34F
                                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0030C370
                                              • DestroyCursor.USER32(00000000), ref: 0030C37F
                                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0030C39C
                                              • DestroyCursor.USER32(?), ref: 0030C3AB
                                                • Part of subcall function 0035A4AF: DeleteObject.GDI32(00000000), ref: 0035A4E8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                              • String ID:
                                              • API String ID: 2975913752-0
                                              • Opcode ID: 8a64e7d6d466912ce4b7e7e6653e5c26cc691767fae287e980071a52cb6ff199
                                              • Instruction ID: 8c811bd84388b42ca9f420de929af6b076b3ca6239f709b9b948a4ade5d5adc3
                                              • Opcode Fuzzy Hash: 8a64e7d6d466912ce4b7e7e6653e5c26cc691767fae287e980071a52cb6ff199
                                              • Instruction Fuzzy Hash: B7516C74620705EFDB22DF64CC45FAA77A9EB58311F10462AF902972E0D7B0ADA4DB50
                                              Function 0032966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0032A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0032A84C
                                                • Part of subcall function 0032A82C: GetCurrentThreadId.KERNEL32 ref: 0032A853
                                                • Part of subcall function 0032A82C: AttachThreadInput.USER32(00000000,?,00329683,?,00000001), ref: 0032A85A
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 0032968E
                                              • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003296AB
                                              • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003296AE
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 003296B7
                                              • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003296D5
                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003296D8
                                              • MapVirtualKeyW.USER32(00000025,00000000), ref: 003296E1
                                              • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003296F8
                                              • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003296FB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                              • String ID:
                                              • API String ID: 2014098862-0
                                              • Opcode ID: f8405d07c90932452412819ee76472f4a3e1fa4ff2afb4b125a5dafdb44d01e8
                                              • Instruction ID: 3b314df7adc7349a4ba4bc7626d02e617485ba266c97ddaa976c200100736994
                                              • Opcode Fuzzy Hash: f8405d07c90932452412819ee76472f4a3e1fa4ff2afb4b125a5dafdb44d01e8
                                              • Instruction Fuzzy Hash: FC11A1B1950618BFF6126F60EC89F6A7F6DEB4C762F110425F344AB0B0C9F25C50DAA4
                                              Function 00328921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0032853C,00000B00,?,?), ref: 0032892A
                                              • RtlAllocateHeap.NTDLL(00000000,?,0032853C), ref: 00328931
                                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0032853C,00000B00,?,?), ref: 00328946
                                              • GetCurrentProcess.KERNEL32(?,00000000,?,0032853C,00000B00,?,?), ref: 0032894E
                                              • DuplicateHandle.KERNEL32(00000000,?,0032853C,00000B00,?,?), ref: 00328951
                                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0032853C,00000B00,?,?), ref: 00328961
                                              • GetCurrentProcess.KERNEL32(0032853C,00000000,?,0032853C,00000B00,?,?), ref: 00328969
                                              • DuplicateHandle.KERNEL32(00000000,?,0032853C,00000B00,?,?), ref: 0032896C
                                              • CreateThread.KERNEL32(00000000,00000000,00328992,00000000,00000000,00000000), ref: 00328986
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                              • String ID:
                                              • API String ID: 1422014791-0
                                              • Opcode ID: a7f0890a9bebe6758e81388e81ce550635f4c79c2f97080c89b5de1e3c54ded3
                                              • Instruction ID: 34b6bfe86553eb4e914b4dfa4a34ce457753089d04fbebe2d33e767b13e8d0db
                                              • Opcode Fuzzy Hash: a7f0890a9bebe6758e81388e81ce550635f4c79c2f97080c89b5de1e3c54ded3
                                              • Instruction Fuzzy Hash: 4701BBB5240708FFE711ABA5DC4DF6B3BACEB89711F408421FA05DB1A1CA709900CB61
                                              Function 00349B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: NULL Pointer assignment$Not an Object type
                                              • API String ID: 0-572801152
                                              • Opcode ID: 0f09cf2f5d1df1c262a38fa69a01d61a94292ed8513da21b6306f8119b83ca29
                                              • Instruction ID: 2215f97755d6562e9d0508f3632bd85b7846b2fad0ea79f1265c34dc6ce83a9f
                                              • Opcode Fuzzy Hash: 0f09cf2f5d1df1c262a38fa69a01d61a94292ed8513da21b6306f8119b83ca29
                                              • Instruction Fuzzy Hash: 56C18171A002199FDF11DF98D884BAFB7F9FB48314F15846AE905AF290E770AD45CB90
                                              Function 00349113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$_memset
                                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                              • API String ID: 2862541840-625585964
                                              • Opcode ID: 94b4e607c29bedb68ba3445bcbe1c8d591b08039d180aba1bb3411297d246b6b
                                              • Instruction ID: a342daad177b6b9f931d76f90acf190cea6d93cf20af302d88fb5e682b921928
                                              • Opcode Fuzzy Hash: 94b4e607c29bedb68ba3445bcbe1c8d591b08039d180aba1bb3411297d246b6b
                                              • Instruction Fuzzy Hash: 4D919D71A00209ABDF26DFA5C848FAFB7B8EF46710F10855AF515AF280D770A945CFA0
                                              Function 0034975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0032710A: CLSIDFromProgID.COMBASE ref: 00327127
                                                • Part of subcall function 0032710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00327142
                                                • Part of subcall function 0032710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00327044,80070057,?,?), ref: 00327150
                                                • Part of subcall function 0032710A: CoTaskMemFree.COMBASE(00000000), ref: 00327160
                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00349806
                                              • _memset.LIBCMT ref: 00349813
                                              • _memset.LIBCMT ref: 00349956
                                              • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00349982
                                              • CoTaskMemFree.COMBASE(?), ref: 0034998D
                                              Strings
                                              • NULL Pointer assignment, xrefs: 003499DB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                              • String ID: NULL Pointer assignment
                                              • API String ID: 1300414916-2785691316
                                              • Opcode ID: 0c32106c67f659eca280609d26dc65273387479ae1171183c4f92b05f47127ff
                                              • Instruction ID: cda4f56474be454e207d2209735dcd422acfd657f9f29242ed9c0138c2e482db
                                              • Opcode Fuzzy Hash: 0c32106c67f659eca280609d26dc65273387479ae1171183c4f92b05f47127ff
                                              • Instruction Fuzzy Hash: 39913C71D00229EBDB11DFA5DC45EDEBBB9BF04310F10415AF519AB251EB71AA44CFA0
                                              Function 00356D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00356E24
                                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 00356E38
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00356E52
                                              • _wcscat.LIBCMT ref: 00356EAD
                                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00356EC4
                                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00356EF2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window_wcscat
                                              • String ID: SysListView32
                                              • API String ID: 307300125-78025650
                                              • Opcode ID: 832f9a58bcd2f205cedd87736ccaff0917cf8ca1f6a15e2ea5a564f25974c601
                                              • Instruction ID: 787c5cb9a43fb656742f8892c976a5c4365e64259e3e06cafd09f0e901200688
                                              • Opcode Fuzzy Hash: 832f9a58bcd2f205cedd87736ccaff0917cf8ca1f6a15e2ea5a564f25974c601
                                              • Instruction Fuzzy Hash: 90419470A00348AFDB229F64CC46FEEB7F8EF08351F51042AF945D71A1D6719D888B60
                                              Function 0034E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00333C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00333C7A
                                                • Part of subcall function 00333C55: Process32FirstW.KERNEL32(00000000,?), ref: 00333C88
                                                • Part of subcall function 00333C55: CloseHandle.KERNEL32(00000000), ref: 00333D52
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0034E9A4
                                              • GetLastError.KERNEL32 ref: 0034E9B7
                                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0034E9E6
                                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 0034EA63
                                              • GetLastError.KERNEL32(00000000), ref: 0034EA6E
                                              • CloseHandle.KERNEL32(00000000), ref: 0034EAA3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                              • String ID: SeDebugPrivilege
                                              • API String ID: 2533919879-2896544425
                                              • Opcode ID: 000003084481c4884407cfcce3948f45c85a2c4695a8fb073102c68194b9c9c2
                                              • Instruction ID: d2c43f5a23f02ce2d45f4274af469f523cb1089602f57991d4904f7be0103bcf
                                              • Opcode Fuzzy Hash: 000003084481c4884407cfcce3948f45c85a2c4695a8fb073102c68194b9c9c2
                                              • Instruction Fuzzy Hash: 1E4186312002009FDB16EF24DC96B6ABBE9BF40714F188459F9469F3D2CBB4A954CB91
                                              Function 00332F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadIconW.USER32(00000000,00007F03), ref: 00333033
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: IconLoad
                                              • String ID: blank$info$question$stop$warning
                                              • API String ID: 2457776203-404129466
                                              • Opcode ID: 02ec79ad5e6edafee00eac3ad633b4aed330a983f6c2db7109804f8362ea1780
                                              • Instruction ID: 618d34896c6e4519421212ed8f342e2180484f893ec61eca7b8f570367401249
                                              • Opcode Fuzzy Hash: 02ec79ad5e6edafee00eac3ad633b4aed330a983f6c2db7109804f8362ea1780
                                              • Instruction Fuzzy Hash: 2B11273134C34ABEE71BAB54DCC2CABB79C9F16360F20406AFA01A6181DB706F445AA1
                                              Function 003342F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00334312
                                              • LoadStringW.USER32(00000000), ref: 00334319
                                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0033432F
                                              • LoadStringW.USER32(00000000), ref: 00334336
                                              • _wprintf.LIBCMT ref: 0033435C
                                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0033437A
                                              Strings
                                              • %s (%d) : ==> %s: %s %s, xrefs: 00334357
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: HandleLoadModuleString$Message_wprintf
                                              • String ID: %s (%d) : ==> %s: %s %s
                                              • API String ID: 3648134473-3128320259
                                              • Opcode ID: c553aad98e8467033d792b9a919247ddb792ba2ec9ef9aa34fea563c7b1154f8
                                              • Instruction ID: e1ab1b2f465adcbea592fa260bfd6d1ab8dfcd749e7a65c62202966349441b61
                                              • Opcode Fuzzy Hash: c553aad98e8467033d792b9a919247ddb792ba2ec9ef9aa34fea563c7b1154f8
                                              • Instruction Fuzzy Hash: DC0162F6900308BFE752EBA0DD89EFB776CDB08312F4005A1BB45E2061EA745E854B70
                                              Function 002D2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0030C1C7,00000004,00000000,00000000,00000000), ref: 002D2ACF
                                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0030C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 002D2B17
                                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0030C1C7,00000004,00000000,00000000,00000000), ref: 0030C21A
                                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0030C1C7,00000004,00000000,00000000,00000000), ref: 0030C286
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ShowWindow
                                              • String ID:
                                              • API String ID: 1268545403-0
                                              • Opcode ID: 3c9a10574a8a8d710b1c5d8245cbe8dffa14d1c24f42678787ef0b5e9a1310ac
                                              • Instruction ID: 99ac9ce2675b95515e9dc44c9f62a7102810c1489a3f58a4890110dc8214b6eb
                                              • Opcode Fuzzy Hash: 3c9a10574a8a8d710b1c5d8245cbe8dffa14d1c24f42678787ef0b5e9a1310ac
                                              • Instruction Fuzzy Hash: 4041F930738781DECB379F288C98B6B7B99EB65304F54891BE087867A1C6B19C99D710
                                              Function 003370C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 003370DD
                                                • Part of subcall function 002F0DB6: std::exception::exception.LIBCMT ref: 002F0DEC
                                                • Part of subcall function 002F0DB6: __CxxThrowException@8.LIBCMT ref: 002F0E01
                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00337114
                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00337130
                                              • _memmove.LIBCMT ref: 0033717E
                                              • _memmove.LIBCMT ref: 0033719B
                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 003371AA
                                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003371BF
                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 003371DE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                              • String ID:
                                              • API String ID: 256516436-0
                                              • Opcode ID: ff2872217e1c6c7ce0554fbeaec98e9c0538ea8966b5e219ed743445773a496c
                                              • Instruction ID: eb41997697ee325b84a0fc24543722f8d14a187674bdaa06de45cb7647509fc4
                                              • Opcode Fuzzy Hash: ff2872217e1c6c7ce0554fbeaec98e9c0538ea8966b5e219ed743445773a496c
                                              • Instruction Fuzzy Hash: 2C315C76900209EFCF11DFA4DC85AAEBBB8EF45711F1541B5EA04AB256DB309E10CBA0
                                              Function 003561D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(00000000), ref: 003561EB
                                              • GetDC.USER32(00000000), ref: 003561F3
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003561FE
                                              • ReleaseDC.USER32(00000000,00000000), ref: 0035620A
                                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00356246
                                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00356257
                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0035902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00356291
                                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003562B1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                              • String ID:
                                              • API String ID: 3864802216-0
                                              • Opcode ID: 41187832cf7142dbbb7d6a62bf867fd7f80d9d6549c09bf0ed78d68e383feb66
                                              • Instruction ID: e89538946fef645e7e0ad099135be20ecf5e9f4766459a31cea4d3e53c3e110b
                                              • Opcode Fuzzy Hash: 41187832cf7142dbbb7d6a62bf867fd7f80d9d6549c09bf0ed78d68e383feb66
                                              • Instruction Fuzzy Hash: 03314F72101214BFEB128F50CC8AFEB3BADEF49766F054065FE089A1A1D6759C41CB74
                                              Function 002D1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: df10c8b27ead6dda563ea54438cbf7a5e43994784d26461de9cd4ef3666c8913
                                              • Instruction ID: ec0acd999fbb165a9eab9c97e9d07c8e5ef7cc9b0491be90c7e533aee5c8ec89
                                              • Opcode Fuzzy Hash: df10c8b27ead6dda563ea54438cbf7a5e43994784d26461de9cd4ef3666c8913
                                              • Instruction Fuzzy Hash: A8715930910109FFCB059F98CC49AAEBB79FF85314F14815AF915AB291C734AA61CFA0
                                              Function 0035B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindow.USER32(01464E10), ref: 0035B3EB
                                              • IsWindowEnabled.USER32(01464E10), ref: 0035B3F7
                                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0035B4DB
                                              • SendMessageW.USER32(01464E10,000000B0,?,?), ref: 0035B512
                                              • IsDlgButtonChecked.USER32(?,?), ref: 0035B54F
                                              • GetWindowLongW.USER32(01464E10,000000EC), ref: 0035B571
                                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0035B589
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                              • String ID:
                                              • API String ID: 4072528602-0
                                              • Opcode ID: eb340472fe6e8b2216fc91a9517d00cfcb3f43453df8e40b3e058c2cc4b949a5
                                              • Instruction ID: ca25eeb2488b582f2d79ddf65577f6de94ebd321dde2cdabd845e4d5d84b8420
                                              • Opcode Fuzzy Hash: eb340472fe6e8b2216fc91a9517d00cfcb3f43453df8e40b3e058c2cc4b949a5
                                              • Instruction Fuzzy Hash: 18717A78604604AFDF379F56C894FBABBA9FF09302F154059ED45972B2C731A948CB50
                                              Function 0034F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0034F448
                                              • _memset.LIBCMT ref: 0034F511
                                              • ShellExecuteExW.SHELL32(?), ref: 0034F556
                                                • Part of subcall function 002D9837: __itow.LIBCMT ref: 002D9862
                                                • Part of subcall function 002D9837: __swprintf.LIBCMT ref: 002D98AC
                                                • Part of subcall function 002EFC86: _wcscpy.LIBCMT ref: 002EFCA9
                                              • GetProcessId.KERNEL32(00000000), ref: 0034F5CD
                                              • CloseHandle.KERNEL32(00000000), ref: 0034F5FC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                              • String ID: @
                                              • API String ID: 3522835683-2766056989
                                              • Opcode ID: 090653a438e23f595f2738ea67db6c9640cd6dade979f01f664460040889f98c
                                              • Instruction ID: 0f4dc8c6d73de113698b595be29cbfcb09842d619583815ab9133d712d9df9aa
                                              • Opcode Fuzzy Hash: 090653a438e23f595f2738ea67db6c9640cd6dade979f01f664460040889f98c
                                              • Instruction Fuzzy Hash: BD619C75A106199FCB05EF64C4819AEBBF5FF49310F1580AAE85AAB351CB30AD51CF90
                                              Function 00330F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(?), ref: 00330F8C
                                              • GetKeyboardState.USER32(?), ref: 00330FA1
                                              • SetKeyboardState.USER32(?), ref: 00331002
                                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 00331030
                                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 0033104F
                                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 00331095
                                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 003310B8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: 39cc2f5d57e707c3b62133dc752be20d5e7ed2c3419945bccc551f269c2f1842
                                              • Instruction ID: e5127b85dffb59963ab8ae8c9772e2f470bf46fd7257441eb497f18fa957543e
                                              • Opcode Fuzzy Hash: 39cc2f5d57e707c3b62133dc752be20d5e7ed2c3419945bccc551f269c2f1842
                                              • Instruction Fuzzy Hash: 3151C2A09047D53DFB3B42348C95BBABFA95B06304F098989E1D58A8D2C299ECD8D751
                                              Function 00330D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetParent.USER32(00000000), ref: 00330DA5
                                              • GetKeyboardState.USER32(?), ref: 00330DBA
                                              • SetKeyboardState.USER32(?), ref: 00330E1B
                                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00330E47
                                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00330E64
                                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00330EA8
                                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00330EC9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessagePost$KeyboardState$Parent
                                              • String ID:
                                              • API String ID: 87235514-0
                                              • Opcode ID: acb8947c9c468051961712a004da399f73538e83bdd5192c3fc4c1c1c5ce13c1
                                              • Instruction ID: bb9a1bdbc2fe70aac1f3a7041fe368dd779f3edb9ecc775c0e50641d522f6c48
                                              • Opcode Fuzzy Hash: acb8947c9c468051961712a004da399f73538e83bdd5192c3fc4c1c1c5ce13c1
                                              • Instruction Fuzzy Hash: BD51E6A0644BD53DFB3B83748CA5B7ABEE95B06300F088989E1D49A8C2D395AC98D750
                                              Function 003355FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _wcsncpy$LocalTime
                                              • String ID:
                                              • API String ID: 2945705084-0
                                              • Opcode ID: 2f1a33de7160fa6b66da00de91fdc2a6d1c3222d9099c8d74c83ec909db09dff
                                              • Instruction ID: 97fd0b8b2e9773af45fc5e7e64ef8a2bd18488a4e8079a72200263041bc6d0f9
                                              • Opcode Fuzzy Hash: 2f1a33de7160fa6b66da00de91fdc2a6d1c3222d9099c8d74c83ec909db09dff
                                              • Instruction Fuzzy Hash: 96418665C21618B6CB11EBF4C886ADFF3BCAF05350F504565F614E3121FA34A255CBA6
                                              Function 00333671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0033466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00333697,?), ref: 0033468B
                                                • Part of subcall function 0033466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00333697,?), ref: 003346A4
                                              • lstrcmpiW.KERNEL32(?,?), ref: 003336B7
                                              • _wcscmp.LIBCMT ref: 003336D3
                                              • MoveFileW.KERNEL32(?,?), ref: 003336EB
                                              • _wcscat.LIBCMT ref: 00333733
                                              • SHFileOperationW.SHELL32(?), ref: 0033379F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                              • String ID: \*.*
                                              • API String ID: 1377345388-1173974218
                                              • Opcode ID: 052f96669a4e62d0ac5f099340b62a5b017db0c6a667c6307d5bb7c45a10e94b
                                              • Instruction ID: 36ff936f16fb50593aeb8124312a3eb686e15934c94834da821a35f1cc186b80
                                              • Opcode Fuzzy Hash: 052f96669a4e62d0ac5f099340b62a5b017db0c6a667c6307d5bb7c45a10e94b
                                              • Instruction Fuzzy Hash: 7541B3B1108344AEC752EF64C4869DFB7ECAF89380F00492EF48AC7251EB34D689CB52
                                              Function 00357291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 003572AA
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00357351
                                              • IsMenu.USER32(?), ref: 00357369
                                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003573B1
                                              • DrawMenuBar.USER32 ref: 003573C4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Menu$Item$DrawInfoInsert_memset
                                              • String ID: 0
                                              • API String ID: 3866635326-4108050209
                                              • Opcode ID: 1394a9c181cacbc36cb05e6aa649c0bd09944af8f23338dcb7513fd10ae735d5
                                              • Instruction ID: 9baf47914a6afa8bda6a23d1f1a8f42e25f41c9241dd7fe5abe0b6d8c75ff11c
                                              • Opcode Fuzzy Hash: 1394a9c181cacbc36cb05e6aa649c0bd09944af8f23338dcb7513fd10ae735d5
                                              • Instruction Fuzzy Hash: 98412679A04208EFDB22DF50E884E9ABBB8FF05362F158429FD0597260D730AD58DF90
                                              Function 00350FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00350FD4
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00350FFE
                                              • FreeLibrary.KERNEL32(00000000), ref: 003510B5
                                                • Part of subcall function 00350FA5: RegCloseKey.ADVAPI32(?), ref: 0035101B
                                                • Part of subcall function 00350FA5: FreeLibrary.KERNEL32(?), ref: 0035106D
                                                • Part of subcall function 00350FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00351090
                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00351058
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                                              • String ID:
                                              • API String ID: 395352322-0
                                              • Opcode ID: b3d99403f77821b03564108f6f0d9c096e028c2091cbe0b8826d7f02b973cf27
                                              • Instruction ID: dcde3ed1f4c42a414245711cf5c18bce06a3062b16e9dfb5643eba0dbb7eec73
                                              • Opcode Fuzzy Hash: b3d99403f77821b03564108f6f0d9c096e028c2091cbe0b8826d7f02b973cf27
                                              • Instruction Fuzzy Hash: FB310F71901209BFDB169F90DC89EFFB7BCEF08311F040169E901A31A1DA759E899AA0
                                              Function 003562CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003562EC
                                              • GetWindowLongW.USER32(01464E10,000000F0), ref: 0035631F
                                              • GetWindowLongW.USER32(01464E10,000000F0), ref: 00356354
                                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00356386
                                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003563B0
                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 003563C1
                                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003563DB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: LongWindow$MessageSend
                                              • String ID:
                                              • API String ID: 2178440468-0
                                              • Opcode ID: 204c6664a9d4f18a129be786e9154faf3469bbc60241edecf28a5b8541cc3ff6
                                              • Instruction ID: 258ff423ed2a337e493518504b16d6ad7e8f31b70e177b27bbec194c76d13baa
                                              • Opcode Fuzzy Hash: 204c6664a9d4f18a129be786e9154faf3469bbc60241edecf28a5b8541cc3ff6
                                              • Instruction Fuzzy Hash: 473103387442509FDB22CF18DC86F5937E9FB4A756F5A01A5F9018F2B1CB72A884DB50
                                              Function 0032DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0032DB2E
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0032DB54
                                              • SysAllocString.OLEAUT32(00000000), ref: 0032DB57
                                              • SysAllocString.OLEAUT32(?), ref: 0032DB75
                                              • SysFreeString.OLEAUT32(?), ref: 0032DB7E
                                              • StringFromGUID2.COMBASE(?,?,00000028), ref: 0032DBA3
                                              • SysAllocString.OLEAUT32(?), ref: 0032DBB1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                              • String ID:
                                              • API String ID: 3761583154-0
                                              • Opcode ID: 7700d87c193397414b21873eb30ed827e77edc09b5d1ebab4ae795f05b8bb849
                                              • Instruction ID: 37084a2b25b67178f5f74688ffd720311125d978dbf4383184e6ff4e6a4213e1
                                              • Opcode Fuzzy Hash: 7700d87c193397414b21873eb30ed827e77edc09b5d1ebab4ae795f05b8bb849
                                              • Instruction Fuzzy Hash: 1D21A476601229AFDF11DFB9EC88CBB73ACEB09360B018525FE14DB261D670EC418B60
                                              Function 00346173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00347D8B: inet_addr.WS2_32(00000000), ref: 00347DB6
                                              • socket.WS2_32(00000002,00000001,00000006), ref: 003461C6
                                              • WSAGetLastError.WS2_32(00000000), ref: 003461D5
                                              • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 0034620E
                                              • connect.WSOCK32(00000000,?,00000010), ref: 00346217
                                              • WSAGetLastError.WS2_32 ref: 00346221
                                              • closesocket.WS2_32(00000000), ref: 0034624A
                                              • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00346263
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                              • String ID:
                                              • API String ID: 910771015-0
                                              • Opcode ID: d822eed963fdca5ab0aaa24ea829caef59873f021f6b35c31a3e145c1efda191
                                              • Instruction ID: a19b1667f4627a62be130bdadebdf8dd917e7b6bc49f6eafe6ff6cfe8355f630
                                              • Opcode Fuzzy Hash: d822eed963fdca5ab0aaa24ea829caef59873f021f6b35c31a3e145c1efda191
                                              • Instruction Fuzzy Hash: E531A131600218AFDF11AF24CC86BBE7BECEF46751F054429F905EB291DB70AC449BA2
                                              Function 0032F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __wcsnicmp
                                              • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                              • API String ID: 1038674560-2734436370
                                              • Opcode ID: f82456691e370692968a1588431d119154c26aaf135c39808e868e2fc561514d
                                              • Instruction ID: a4b598152bc06fbc46f7a4049f447dbe9cc43db099d4b1bda10866a9b512068c
                                              • Opcode Fuzzy Hash: f82456691e370692968a1588431d119154c26aaf135c39808e868e2fc561514d
                                              • Instruction Fuzzy Hash: 492164722146316ED222EA38FC02EBBB3A8EF59380F11803AF94286091EB919D55C794
                                              Function 003575CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002D1D73
                                                • Part of subcall function 002D1D35: GetStockObject.GDI32(00000011), ref: 002D1D87
                                                • Part of subcall function 002D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D1D91
                                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00357632
                                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0035763F
                                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0035764A
                                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00357659
                                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00357665
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$CreateObjectStockWindow
                                              • String ID: Msctls_Progress32
                                              • API String ID: 1025951953-3636473452
                                              • Opcode ID: 94c605d3990ae9c9f521849f11033b3527bf676bd4b0846f108398f0be74bbee
                                              • Instruction ID: 1b2ef1cd95fbe8681a91bc45501c1e87157e3410a06e53928333507ce2f3f628
                                              • Opcode Fuzzy Hash: 94c605d3990ae9c9f521849f11033b3527bf676bd4b0846f108398f0be74bbee
                                              • Instruction Fuzzy Hash: A811C4B2110219BFEF169F64CC85EE77F6DEF08798F014115FA44A60A0CB72AC21DBA4
                                              Function 002F9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __init_pointers.LIBCMT ref: 002F9AE6
                                                • Part of subcall function 002F3187: RtlEncodePointer.NTDLL(00000000), ref: 002F318A
                                                • Part of subcall function 002F3187: __initp_misc_winsig.LIBCMT ref: 002F31A5
                                                • Part of subcall function 002F3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002F9EA0
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 002F9EB4
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 002F9EC7
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 002F9EDA
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 002F9EED
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 002F9F00
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 002F9F13
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 002F9F26
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 002F9F39
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 002F9F4C
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 002F9F5F
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 002F9F72
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 002F9F85
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 002F9F98
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 002F9FAB
                                                • Part of subcall function 002F3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 002F9FBE
                                              • __mtinitlocks.LIBCMT ref: 002F9AEB
                                              • __mtterm.LIBCMT ref: 002F9AF4
                                                • Part of subcall function 002F9B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 002F9C56
                                                • Part of subcall function 002F9B5C: _free.LIBCMT ref: 002F9C5D
                                                • Part of subcall function 002F9B5C: RtlDeleteCriticalSection.NTDLL(029), ref: 002F9C7F
                                              • __calloc_crt.LIBCMT ref: 002F9B19
                                              • __initptd.LIBCMT ref: 002F9B3B
                                              • GetCurrentThreadId.KERNEL32 ref: 002F9B42
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                              • String ID:
                                              • API String ID: 3567560977-0
                                              • Opcode ID: a95def1d4d771142dfcb350ce03212bf956612d8a6f85d344425c47df2468764
                                              • Instruction ID: c48bc11ebce46fcaff940b46e7a2e51988c02f756acad806083bbd7b687f6bb1
                                              • Opcode Fuzzy Hash: a95def1d4d771142dfcb350ce03212bf956612d8a6f85d344425c47df2468764
                                              • Instruction Fuzzy Hash: 3BF0C23253971A19E634BB74BC07B7AE6849B037F8F200679F714851D6EF5084E00A60
                                              Function 0035B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0035B644
                                              • _memset.LIBCMT ref: 0035B653
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00396F20,00396F64), ref: 0035B682
                                              • CloseHandle.KERNEL32 ref: 0035B694
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memset$CloseCreateHandleProcess
                                              • String ID: o9$do9
                                              • API String ID: 3277943733-3668714863
                                              • Opcode ID: 6bc724e25853f6d31670cdb3e9b28a815879b4d4a94f31a941fd51f3e6cef1b4
                                              • Instruction ID: f90090eb8b62e1bc7ff8c8784b263f1ce4de0061c59b8974b84cf076c55f14df
                                              • Opcode Fuzzy Hash: 6bc724e25853f6d31670cdb3e9b28a815879b4d4a94f31a941fd51f3e6cef1b4
                                              • Instruction Fuzzy Hash: E7F0FEB6551304BFF6123765BC07FBB7A9CEB09795F004031BA0AE51A2D7765C108BA8
                                              Function 002F406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,002F3F85), ref: 002F4085
                                              • GetProcAddress.KERNEL32(00000000), ref: 002F408C
                                              • RtlEncodePointer.NTDLL(00000000), ref: 002F4097
                                              • RtlDecodePointer.NTDLL(002F3F85), ref: 002F40B2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                              • String ID: RoUninitialize$combase.dll
                                              • API String ID: 3489934621-2819208100
                                              • Opcode ID: 9472cba4883ccf5df3c410e654ff302e57f5b85b02aac8b5810a3ebd67437612
                                              • Instruction ID: d59e58f928c75409bbd903c9f66bb1b4f527645f272dd5bbe11d65f66a0a6712
                                              • Opcode Fuzzy Hash: 9472cba4883ccf5df3c410e654ff302e57f5b85b02aac8b5810a3ebd67437612
                                              • Instruction Fuzzy Hash: 8CE092B4592701AFEA22BF61EC09B567AACB704783F10442AF615E10B0CFB74600CA14
                                              Function 00346B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __WSAFDIsSet.WS2_32(00000000,?), ref: 00346C00
                                              • WSAGetLastError.WS2_32(00000000), ref: 00346C34
                                              • htons.WS2_32(?), ref: 00346CEA
                                              • inet_ntoa.WS2_32(?), ref: 00346CA7
                                                • Part of subcall function 0032A7E9: _strlen.LIBCMT ref: 0032A7F3
                                                • Part of subcall function 0032A7E9: _memmove.LIBCMT ref: 0032A815
                                              • _strlen.LIBCMT ref: 00346D44
                                              • _memmove.LIBCMT ref: 00346DAD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                              • String ID:
                                              • API String ID: 3619996494-0
                                              • Opcode ID: 2613aa1a1f2c8432dd0d172a64c4c79d4297336afec788a314320c05e28cecaa
                                              • Instruction ID: b0bb244217fd37e0079c484ee601e81b2f356ae43ae56b830c08a88b4c4ca6f7
                                              • Opcode Fuzzy Hash: 2613aa1a1f2c8432dd0d172a64c4c79d4297336afec788a314320c05e28cecaa
                                              • Instruction Fuzzy Hash: 2781CE71604300ABC711EF28CC82E6AB7E9EF86714F10491EF9559B2E2DB70AD44CB92
                                              Function 003364B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memmove$__itow__swprintf
                                              • String ID:
                                              • API String ID: 3253778849-0
                                              • Opcode ID: fc3af12b12bf3c0056c56eb678251284c3d22cbf04ff98c40d813ff119c1a79e
                                              • Instruction ID: 7528800e86c698e6983345d1c27c2d69a6ae2ddad96aea355501feff3f2a5750
                                              • Opcode Fuzzy Hash: fc3af12b12bf3c0056c56eb678251284c3d22cbf04ff98c40d813ff119c1a79e
                                              • Instruction Fuzzy Hash: BF61AC3191025AAFCF02EF60CC82EFE77A9AF09348F058529F9559B292DB34DC65DB50
                                              Function 003501E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                                • Part of subcall function 00350E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0034FDAD,?,?), ref: 00350E31
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003502BD
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003502FD
                                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00350320
                                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00350349
                                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0035038C
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00350399
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                              • String ID:
                                              • API String ID: 4046560759-0
                                              • Opcode ID: fc1f533097bd80bbfe6cf6bf4be6cc2dbe7f989b4112c8d4fb215a0d56cddf60
                                              • Instruction ID: 572bdfc13534616e277fb320153e3571718f18894d6e109d002267d0289ae98f
                                              • Opcode Fuzzy Hash: fc1f533097bd80bbfe6cf6bf4be6cc2dbe7f989b4112c8d4fb215a0d56cddf60
                                              • Instruction Fuzzy Hash: A9516A31118340AFC705EF64C885E6EBBE8FF85314F04492DF9858B2A2DB32E919CB52
                                              Function 00355799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetMenu.USER32(?), ref: 003557FB
                                              • GetMenuItemCount.USER32(00000000), ref: 00355832
                                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0035585A
                                              • GetMenuItemID.USER32(?,?), ref: 003558C9
                                              • GetSubMenu.USER32(?,?), ref: 003558D7
                                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00355928
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountMessagePostString
                                              • String ID:
                                              • API String ID: 650687236-0
                                              • Opcode ID: f7dbb58a5473a00df259b6efebb659b9a95de8ecf874c9074183a2e4ad3243d6
                                              • Instruction ID: 62a618c2202c3aa8ba9b8593d9df16ffaa35e2314e1c2a90679d9e46c10dacbf
                                              • Opcode Fuzzy Hash: f7dbb58a5473a00df259b6efebb659b9a95de8ecf874c9074183a2e4ad3243d6
                                              • Instruction Fuzzy Hash: 7B515C31E00615EFCF12EF64C895AAEB7B4EF48321F154069ED51BB361CB74AE458B90
                                              Function 0032EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 0032EF06
                                              • VariantClear.OLEAUT32(00000013), ref: 0032EF78
                                              • VariantClear.OLEAUT32(00000000), ref: 0032EFD3
                                              • _memmove.LIBCMT ref: 0032EFFD
                                              • VariantClear.OLEAUT32(?), ref: 0032F04A
                                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0032F078
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Variant$Clear$ChangeInitType_memmove
                                              • String ID:
                                              • API String ID: 1101466143-0
                                              • Opcode ID: c0439f8567b1078c2c90c90e666e563a72227c44fa431ce2c4711864b044cae4
                                              • Instruction ID: 70e87078241343a9fcc3733bf85c44ba4d37bb3410327e13d0412bdd96d964ce
                                              • Opcode Fuzzy Hash: c0439f8567b1078c2c90c90e666e563a72227c44fa431ce2c4711864b044cae4
                                              • Instruction Fuzzy Hash: D25176B5A00219EFCB10DF58D884AAAB7B8FF4C310F15856AE949DB301E730E911CFA0
                                              Function 0033220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00332258
                                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003322A3
                                              • IsMenu.USER32(00000000), ref: 003322C3
                                              • CreatePopupMenu.USER32 ref: 003322F7
                                              • GetMenuItemCount.USER32(000000FF), ref: 00332355
                                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00332386
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                              • String ID:
                                              • API String ID: 3311875123-0
                                              • Opcode ID: 7144fe4db70500b0a8fef3ed75651a41c2fe039b9992bb06151580090396197c
                                              • Instruction ID: 9644646353925d993ea8b453dc0d36e952144ca95a22b9c5634f1523d574ee84
                                              • Opcode Fuzzy Hash: 7144fe4db70500b0a8fef3ed75651a41c2fe039b9992bb06151580090396197c
                                              • Instruction Fuzzy Hash: 5951BC34601309EFDF22CF68C8C8BAFBBF9AF05324F154529E851AB2A0E3759904CB51
                                              Function 002D1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 002D179A
                                              • GetWindowRect.USER32(?,?), ref: 002D17FE
                                              • ScreenToClient.USER32(?,?), ref: 002D181B
                                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 002D182C
                                              • EndPaint.USER32(?,?), ref: 002D1876
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                              • String ID:
                                              • API String ID: 1827037458-0
                                              • Opcode ID: ab3cdf88628ec0559855aed94329c171a35d118d565ef6f7b84521a885d830cb
                                              • Instruction ID: 97eb320ee14c81258b94fde08019d6c76cddfb894b7eefb0abbf00289db0b2a0
                                              • Opcode Fuzzy Hash: ab3cdf88628ec0559855aed94329c171a35d118d565ef6f7b84521a885d830cb
                                              • Instruction Fuzzy Hash: 9541BC30615740AFE712DF24CC84BAA7BE8EB49724F04422AF9A48B2B1C7319C65DB61
                                              Function 0035B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(003957B0,00000000,01464E10,?,?,003957B0,?,0035B5A8,?,?), ref: 0035B712
                                              • EnableWindow.USER32(00000000,00000000), ref: 0035B736
                                              • ShowWindow.USER32(003957B0,00000000,01464E10,?,?,003957B0,?,0035B5A8,?,?), ref: 0035B796
                                              • ShowWindow.USER32(00000000,00000004,?,0035B5A8,?,?), ref: 0035B7A8
                                              • EnableWindow.USER32(00000000,00000001), ref: 0035B7CC
                                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0035B7EF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$Show$Enable$MessageSend
                                              • String ID:
                                              • API String ID: 642888154-0
                                              • Opcode ID: 501984b3c880d52f4544fa1fb9f02e82e61114bcda52f889c546db243a502bd7
                                              • Instruction ID: e487f91a4b549c48a552e10ea52504b04cbe7bf84780c7478ba246042d7e235f
                                              • Opcode Fuzzy Hash: 501984b3c880d52f4544fa1fb9f02e82e61114bcda52f889c546db243a502bd7
                                              • Instruction Fuzzy Hash: 4B415F34600240AFDB23DF24C499F94BBE1FF49352F1941A9ED488F6B2C731A85ACB60
                                              Function 0034709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32(?,?,?,?,?,?,00344E41,?,?,00000000,00000001), ref: 003470AC
                                                • Part of subcall function 003439A0: GetWindowRect.USER32(?,?), ref: 003439B3
                                              • GetDesktopWindow.USER32 ref: 003470D6
                                              • GetWindowRect.USER32(00000000), ref: 003470DD
                                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0034710F
                                                • Part of subcall function 00335244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003352BC
                                              • GetCursorPos.USER32(?), ref: 0034713B
                                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00347199
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                              • String ID:
                                              • API String ID: 4137160315-0
                                              • Opcode ID: e0a6e7b1e476a6eb9adcf1f0f609fb419a1a96b679c3b00a22eef953893cb080
                                              • Instruction ID: 5d3f00fdc38c43806d832b25335452fecae1fc727791427858e378324efbcaca
                                              • Opcode Fuzzy Hash: e0a6e7b1e476a6eb9adcf1f0f609fb419a1a96b679c3b00a22eef953893cb080
                                              • Instruction Fuzzy Hash: 5A31B072509305AFD721DF14C849F9BB7EAFF89314F000929F585AB191DB70EA09CB92
                                              Function 0033EB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D9837: __itow.LIBCMT ref: 002D9862
                                                • Part of subcall function 002D9837: __swprintf.LIBCMT ref: 002D98AC
                                                • Part of subcall function 002EFC86: _wcscpy.LIBCMT ref: 002EFCA9
                                              • _wcstok.LIBCMT ref: 0033EC94
                                              • _wcscpy.LIBCMT ref: 0033ED23
                                              • _memset.LIBCMT ref: 0033ED56
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                              • String ID: X
                                              • API String ID: 774024439-3081909835
                                              • Opcode ID: e0bc51002d8347e6c54a554a097be64508dda26766e2ceeb444aa6aac76e9df7
                                              • Instruction ID: 62afbb0405b004d1e489671273928c122592d9f2bd013f699be2f536ec14eb11
                                              • Opcode Fuzzy Hash: e0bc51002d8347e6c54a554a097be64508dda26766e2ceeb444aa6aac76e9df7
                                              • Instruction Fuzzy Hash: 10C17B715183409FC715EF24C885AAAB7E4AF85314F11492EF8999B3A2DB70EC55CF82
                                              Function 00328879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 003280A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003280C0
                                                • Part of subcall function 003280A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003280CA
                                                • Part of subcall function 003280A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003280D9
                                                • Part of subcall function 003280A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 003280E0
                                                • Part of subcall function 003280A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003280F6
                                              • GetLengthSid.ADVAPI32(?,00000000,0032842F), ref: 003288CA
                                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 003288D6
                                              • RtlAllocateHeap.NTDLL(00000000), ref: 003288DD
                                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 003288F6
                                              • GetProcessHeap.KERNEL32(00000000,00000000,0032842F), ref: 0032890A
                                              • HeapFree.KERNEL32(00000000), ref: 00328911
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                              • String ID:
                                              • API String ID: 169236558-0
                                              • Opcode ID: d1d6effc33f04787c95f67ea984ae37354882c3f12082edc5976871fbae4fbc8
                                              • Instruction ID: a5b2f4674adb32b2a024fb88fda17cb36e0443ad3d5e7b7c856528b1f28e1345
                                              • Opcode Fuzzy Hash: d1d6effc33f04787c95f67ea984ae37354882c3f12082edc5976871fbae4fbc8
                                              • Instruction Fuzzy Hash: 3711B171502619FFDB129FA4EC09BBE77ACEB44312F148028E845D7120CB329E44DB60
                                              Function 0032B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 0032B7B5
                                              • GetDeviceCaps.GDI32(00000000,00000058), ref: 0032B7C6
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0032B7CD
                                              • ReleaseDC.USER32(00000000,00000000), ref: 0032B7D5
                                              • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0032B7EC
                                              • MulDiv.KERNEL32(000009EC,?,?), ref: 0032B7FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CapsDevice$Release
                                              • String ID:
                                              • API String ID: 1035833867-0
                                              • Opcode ID: 05936b562862d857e24f974fe2c6021fe6d47716851a71fca268233b89f804b2
                                              • Instruction ID: 70c8e3469a4129576f2dcd485291d19e9fbbb94f73ff7e95ab5cc1caeb262a84
                                              • Opcode Fuzzy Hash: 05936b562862d857e24f974fe2c6021fe6d47716851a71fca268233b89f804b2
                                              • Instruction Fuzzy Hash: A9018475E00319BFEB119BA69C45A5EBFBCEF48311F004075FA04AB291D6319C00CF90
                                              Function 002F0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 002F0193
                                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 002F019B
                                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002F01A6
                                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002F01B1
                                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 002F01B9
                                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 002F01C1
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Virtual
                                              • String ID:
                                              • API String ID: 4278518827-0
                                              • Opcode ID: 6e2572e63a7ddc97802a20212d71dd61abb7d9a18f0c731f74a9e5acf0559165
                                              • Instruction ID: 21b3d25b76ed73a41ba8032c02ccf0019b052637872329bd3101afb4724e9c19
                                              • Opcode Fuzzy Hash: 6e2572e63a7ddc97802a20212d71dd61abb7d9a18f0c731f74a9e5acf0559165
                                              • Instruction Fuzzy Hash: F5016CB09017597DE3009F5A8C85B52FFE8FF19354F00411BA15C47941C7F5A864CBE5
                                              Function 003353E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003353F9
                                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0033540F
                                              • GetWindowThreadProcessId.USER32(?,?), ref: 0033541E
                                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0033542D
                                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00335437
                                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0033543E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                              • String ID:
                                              • API String ID: 839392675-0
                                              • Opcode ID: d1fcfaf4a8210b9fde04b06bd8c7146d4ff5816ca4bde07f569c8e0201081c48
                                              • Instruction ID: e3c9cf2251440f89ea110eb6e314c04f2aaab17f8737869f6a3ec0491cb000fd
                                              • Opcode Fuzzy Hash: d1fcfaf4a8210b9fde04b06bd8c7146d4ff5816ca4bde07f569c8e0201081c48
                                              • Instruction Fuzzy Hash: 5CF01D32241658BFE7225BA2DC0EEAB7B7CEBC6B12F000169FA04D206196A11A0186B5
                                              Function 00337230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • InterlockedExchange.KERNEL32(?,?), ref: 00337243
                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00337254
                                              • TerminateThread.KERNEL32(00000000,000001F6,?,002E0EE4,?,?), ref: 00337261
                                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,002E0EE4,?,?), ref: 0033726E
                                                • Part of subcall function 00336C35: CloseHandle.KERNEL32(00000000,?,0033727B,?,002E0EE4,?,?), ref: 00336C3F
                                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 00337281
                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00337288
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                              • String ID:
                                              • API String ID: 3495660284-0
                                              • Opcode ID: fbc4dc0cceac12b65fc2ecc8bf19b48688ee2dfda8b7171e97d36b056b858459
                                              • Instruction ID: e698dc23123b16df3b0b756b09efbd83412d0214b5641ca7b983c6df043d9c33
                                              • Opcode Fuzzy Hash: fbc4dc0cceac12b65fc2ecc8bf19b48688ee2dfda8b7171e97d36b056b858459
                                              • Instruction Fuzzy Hash: 3FF017BA541712AFDA132B64ED889DB7739AB45703F110921F502954B0CB665801CA90
                                              Function 003485ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 00348613
                                              • CharUpperBuffW.USER32(?,?), ref: 00348722
                                              • VariantClear.OLEAUT32(?), ref: 0034889A
                                                • Part of subcall function 00337562: VariantInit.OLEAUT32(00000000), ref: 003375A2
                                                • Part of subcall function 00337562: VariantCopy.OLEAUT32(00000000,?), ref: 003375AB
                                                • Part of subcall function 00337562: VariantClear.OLEAUT32(00000000), ref: 003375B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                              • API String ID: 4237274167-1221869570
                                              • Opcode ID: fc6df897b6a037eabba222e127b7aff03f7a54518ae42b2bd79701aeace9cb3b
                                              • Instruction ID: 75e730a020164f035fa5e235a3cb24c9f7c739e1bc6fa00eafa90ab6603a3271
                                              • Opcode Fuzzy Hash: fc6df897b6a037eabba222e127b7aff03f7a54518ae42b2bd79701aeace9cb3b
                                              • Instruction Fuzzy Hash: 86916B716043019FC711EF24C48495EBBE8EF89714F14896EF99A8B361DB31ED45CB92
                                              Function 00332A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002EFC86: _wcscpy.LIBCMT ref: 002EFCA9
                                              • _memset.LIBCMT ref: 00332B87
                                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00332BB6
                                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00332C69
                                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00332C97
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                                              • String ID: 0
                                              • API String ID: 4152858687-4108050209
                                              • Opcode ID: 22f79043e428b83a8ff3451480262f794a282f4641d779112ad75c5b55e459cb
                                              • Instruction ID: 09c5631bc1ffb90aff76f0637090ca16005ea8ee47408e3044ee18eb68e829c2
                                              • Opcode Fuzzy Hash: 22f79043e428b83a8ff3451480262f794a282f4641d779112ad75c5b55e459cb
                                              • Instruction Fuzzy Hash: 1A51CD716183009FD7279E28D8C5A6FB7E8EF89350F151A2EF891D72A1DB70CD448B92
                                              Function 002E3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memmove$_free
                                              • String ID: 3c.$_.
                                              • API String ID: 2620147621-1871209941
                                              • Opcode ID: cfcff6650c391e02b5170f40caf198130b36e27d90b5f62d5fc5b9023745422d
                                              • Instruction ID: 07457933c58b19c7dab9ade3c76f0122cb2ee0c4b24143963d3761e59b402e35
                                              • Opcode Fuzzy Hash: cfcff6650c391e02b5170f40caf198130b36e27d90b5f62d5fc5b9023745422d
                                              • Instruction Fuzzy Hash: 79519D716243818FDB25CF29C485B6ABBE5FF89310F44492CE98987391DB31E951CF92
                                              Function 002E6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memset$_memmove
                                              • String ID: 3c.$ERCP
                                              • API String ID: 2532777613-2920558574
                                              • Opcode ID: 0547f03bafa65180a4bc5792a446adafd9909342cd5881974b7beb7eefe30844
                                              • Instruction ID: 73fd36c73eb636c7ed6409c7bdf8c1a5c00938cc172a16183afa423e5d88f9eb
                                              • Opcode Fuzzy Hash: 0547f03bafa65180a4bc5792a446adafd9909342cd5881974b7beb7eefe30844
                                              • Instruction Fuzzy Hash: 4051E07091030ADFDB25CF66C885BAAB7E4EF14340F2085AEE94AD7251E370AA54CB40
                                              Function 0032D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0032D5D4
                                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0032D60A
                                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0032D61B
                                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0032D69D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ErrorMode$AddressCreateInstanceProc
                                              • String ID: DllGetClassObject
                                              • API String ID: 753597075-1075368562
                                              • Opcode ID: 9a6da973fd34ec8985f306075cc1c9b606743976c8fad7857ac49f0158b4ec54
                                              • Instruction ID: 405335388060e8c38c1244287faaa31e9e5cc0cc57e385266d8d8d86e1e2df05
                                              • Opcode Fuzzy Hash: 9a6da973fd34ec8985f306075cc1c9b606743976c8fad7857ac49f0158b4ec54
                                              • Instruction Fuzzy Hash: 674194B1600214EFDB06DF54D884A9ABBBAEF44310F5581ADED09DF205D7B1DD44CBA0
                                              Function 00332753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 003327C0
                                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003327DC
                                              • DeleteMenu.USER32(?,00000007,00000000), ref: 00332822
                                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00395890,00000000), ref: 0033286B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Menu$Delete$InfoItem_memset
                                              • String ID: 0
                                              • API String ID: 1173514356-4108050209
                                              • Opcode ID: 6f2c5f724ab6f7fd1d91301fbe51f5378a4a0889445ba6ccbfce3637746d6a2a
                                              • Instruction ID: 2c7fc46901945addac3c1d84cbbe34e98bd263fd9c8e69800a72a683d10d1008
                                              • Opcode Fuzzy Hash: 6f2c5f724ab6f7fd1d91301fbe51f5378a4a0889445ba6ccbfce3637746d6a2a
                                              • Instruction Fuzzy Hash: D841A0702043419FD722DF25C884B2BBBE8EF85324F15492EF9A69B291D734E905CB52
                                              Function 0034D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0034D7C5
                                                • Part of subcall function 002D784B: _memmove.LIBCMT ref: 002D7899
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: BuffCharLower_memmove
                                              • String ID: cdecl$none$stdcall$winapi
                                              • API String ID: 3425801089-567219261
                                              • Opcode ID: 6519447d73dfbdd991c8f39cea85832c859a9952d657492e7608f9a7466d9bad
                                              • Instruction ID: 83e8790d3a93cca9de8f21503d19f14e204637b99b9d80a69d5b0bfad8cba70b
                                              • Opcode Fuzzy Hash: 6519447d73dfbdd991c8f39cea85832c859a9952d657492e7608f9a7466d9bad
                                              • Instruction Fuzzy Hash: 14317C71914619ABCF01EF58C8919FEB3F5FF04320B10866AE865AB7D2DB71AD15CB80
                                              Function 00328E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                                • Part of subcall function 0032AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0032AABC
                                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00328F14
                                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00328F27
                                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 00328F57
                                                • Part of subcall function 002D7BCC: _memmove.LIBCMT ref: 002D7C06
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$_memmove$ClassName
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 365058703-1403004172
                                              • Opcode ID: 1b5bb667bc50699dce6271ad90910605a7fd1f644d5f9706cee967a56b98d668
                                              • Instruction ID: 905ad3aed48618658fe96fbf318642d7acf9e2433cfa62d301fc4c2301616550
                                              • Opcode Fuzzy Hash: 1b5bb667bc50699dce6271ad90910605a7fd1f644d5f9706cee967a56b98d668
                                              • Instruction Fuzzy Hash: C0210471A05104BFDB16ABB0EC86CFFB769DF05360F14452AF821972E1DF394C199A10
                                              Function 0034182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0034184C
                                              • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00341872
                                              • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003418A2
                                              • InternetCloseHandle.WININET(00000000), ref: 003418E9
                                                • Part of subcall function 00342483: GetLastError.KERNEL32(?,?,00341817,00000000,00000000,00000001), ref: 00342498
                                                • Part of subcall function 00342483: SetEvent.KERNEL32(?,?,00341817,00000000,00000000,00000001), ref: 003424AD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                              • String ID:
                                              • API String ID: 3113390036-3916222277
                                              • Opcode ID: 9405aa490f0443828a55b3ccb566bbc413db78f37f92c3af0c6464489c15176f
                                              • Instruction ID: 6b9492409079a1373e58881f0fb08c19592f9ca3e82f9233752cc622b1adc9dd
                                              • Opcode Fuzzy Hash: 9405aa490f0443828a55b3ccb566bbc413db78f37f92c3af0c6464489c15176f
                                              • Instruction Fuzzy Hash: 8E21CFB2500708BFEB129F61CC85EBF77EDEB48785F10412AF805EB240EB24AD4497A1
                                              Function 003563E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002D1D73
                                                • Part of subcall function 002D1D35: GetStockObject.GDI32(00000011), ref: 002D1D87
                                                • Part of subcall function 002D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D1D91
                                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00356461
                                              • LoadLibraryW.KERNEL32(?), ref: 00356468
                                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0035647D
                                              • DestroyWindow.USER32(?), ref: 00356485
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                              • String ID: SysAnimate32
                                              • API String ID: 4146253029-1011021900
                                              • Opcode ID: c72f8706e26ae4cd67bbf519116b7cbcd2fcc5fbef0da4a3be806c4353c3ab06
                                              • Instruction ID: 90318d7959b005dd96fcd8fb3400898c47ae0e791c5fdd6992fb79620ac6b204
                                              • Opcode Fuzzy Hash: c72f8706e26ae4cd67bbf519116b7cbcd2fcc5fbef0da4a3be806c4353c3ab06
                                              • Instruction Fuzzy Hash: B421A9B1200205AFEF124FA5DC82EBB77ADEB48325F914629FE10971B0C7319C559720
                                              Function 00336D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(0000000C), ref: 00336DBC
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00336DEF
                                              • GetStdHandle.KERNEL32(0000000C), ref: 00336E01
                                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00336E3B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CreateHandle$FilePipe
                                              • String ID: nul
                                              • API String ID: 4209266947-2873401336
                                              • Opcode ID: 8cd13debab4ceeab8192c3367a5372ecccd671fd126936028bee8324cf91f514
                                              • Instruction ID: 8c4382427a6bb3a5bb68aec628cf3caa2402534806b0bd1bff3dc5aa59bd2964
                                              • Opcode Fuzzy Hash: 8cd13debab4ceeab8192c3367a5372ecccd671fd126936028bee8324cf91f514
                                              • Instruction Fuzzy Hash: 5A217775600309BFDB229F29DC86A9977F8EF45720F208A29FDA1D72D0DB709954CB50
                                              Function 00336E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F6), ref: 00336E89
                                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00336EBB
                                              • GetStdHandle.KERNEL32(000000F6), ref: 00336ECC
                                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00336F06
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CreateHandle$FilePipe
                                              • String ID: nul
                                              • API String ID: 4209266947-2873401336
                                              • Opcode ID: 144cfbd384afe149568f4f61da951c8179c24dc6a3bcf9ef0d7dfaab2ed87423
                                              • Instruction ID: 79761964f3da95322a405d99bfae85ac82efee865641a389a1ed1f8581c07655
                                              • Opcode Fuzzy Hash: 144cfbd384afe149568f4f61da951c8179c24dc6a3bcf9ef0d7dfaab2ed87423
                                              • Instruction Fuzzy Hash: 7C219079500305AFDB229F69DD86A9A77F8AF45720F208A19F8A0D72E0DB70A8548B50
                                              Function 0033AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetErrorMode.KERNEL32(00000001), ref: 0033AC54
                                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0033ACA8
                                              • __swprintf.LIBCMT ref: 0033ACC1
                                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0035F910), ref: 0033ACFF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ErrorMode$InformationVolume__swprintf
                                              • String ID: %lu
                                              • API String ID: 3164766367-685833217
                                              • Opcode ID: ad7f773726a058eacacd850df73e52c9e1954371473d07e4c4a9ed7bcce3a8f9
                                              • Instruction ID: c8deabe31f74cfad507452e4b8083b106a6b038f265e62d1e1e05b919a7e04ff
                                              • Opcode Fuzzy Hash: ad7f773726a058eacacd850df73e52c9e1954371473d07e4c4a9ed7bcce3a8f9
                                              • Instruction Fuzzy Hash: EE215E35A00209AFCB11EB64C985DAE7BB8EF49715B104069F909DB261DB31EA51CB61
                                              Function 00331142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0032FCED,?,00330D40,?,00008000), ref: 0033115F
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0032FCED,?,00330D40,?,00008000), ref: 00331184
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0032FCED,?,00330D40,?,00008000), ref: 0033118E
                                              • Sleep.KERNEL32(?,?,?,?,?,?,?,0032FCED,?,00330D40,?,00008000), ref: 003311C1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CounterPerformanceQuerySleep
                                              • String ID: @3
                                              • API String ID: 2875609808-2242202505
                                              • Opcode ID: 3ff474e3feac6fd1efc7f9de72576d90fc053805ea135ac78a3048c5bf31bac4
                                              • Instruction ID: 9048a6a16814d977180f17c3f32cf919365b0eb30b5a9c2ffa16efc721054e3d
                                              • Opcode Fuzzy Hash: 3ff474e3feac6fd1efc7f9de72576d90fc053805ea135ac78a3048c5bf31bac4
                                              • Instruction Fuzzy Hash: 81113C72D01A1DDBCF02AFA5D889AEEBB7CFF09752F014055EA41B2250CB709660CB95
                                              Function 00331AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharUpperBuffW.USER32(?,?), ref: 00331B19
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: BuffCharUpper
                                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                                              • API String ID: 3964851224-769500911
                                              • Opcode ID: 5410a9963ae89a6fbd2179e8b5e29129b784e1fd078105758747cdc426181dce
                                              • Instruction ID: fb87d1fd10e500020e934b09e9a6fea4e185131e03415559520166937a1d0dfe
                                              • Opcode Fuzzy Hash: 5410a9963ae89a6fbd2179e8b5e29129b784e1fd078105758747cdc426181dce
                                              • Instruction Fuzzy Hash: EB1135749202088FCF01EFA5D9A18FEF7B4BF26304F5084A9E954A7692EB325D16CF50
                                              Function 0034EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0034EC07
                                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0034EC37
                                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0034ED6A
                                              • CloseHandle.KERNEL32(?), ref: 0034EDEB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                              • String ID:
                                              • API String ID: 2364364464-0
                                              • Opcode ID: e859bd91d6bb371168d71f5cae23f9552738aa796d2749ef1ca3ab9cf06bc8ec
                                              • Instruction ID: b71839b6b353592ec6af0c3ea3852c103fba9d485b77881ef268f9d32ed41277
                                              • Opcode Fuzzy Hash: e859bd91d6bb371168d71f5cae23f9552738aa796d2749ef1ca3ab9cf06bc8ec
                                              • Instruction Fuzzy Hash: D8814C716143009FD761EF28C886F2AB7E5AF44B10F14881EF999DB3D2DA70AC50CB51
                                              Function 00350037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                                • Part of subcall function 00350E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0034FDAD,?,?), ref: 00350E31
                                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003500FD
                                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0035013C
                                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00350183
                                              • RegCloseKey.ADVAPI32(?,?), ref: 003501AF
                                              • RegCloseKey.ADVAPI32(00000000), ref: 003501BC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                              • String ID:
                                              • API String ID: 3440857362-0
                                              • Opcode ID: 4c7d563ebee5b4a2b31ea8a751b6b0bf8202e9e42f96d03700e2e9eb8a4b76b8
                                              • Instruction ID: ef7157f18c59001a6bd2305c08b79d0178e52082fe385f1483dfb6794591df72
                                              • Opcode Fuzzy Hash: 4c7d563ebee5b4a2b31ea8a751b6b0bf8202e9e42f96d03700e2e9eb8a4b76b8
                                              • Instruction Fuzzy Hash: 3E515B31218244AFC705EF58CC81E6AB7E9FF84315F54492EF9958B2A2DB31ED18CB52
                                              Function 0034D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D9837: __itow.LIBCMT ref: 002D9862
                                                • Part of subcall function 002D9837: __swprintf.LIBCMT ref: 002D98AC
                                              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0034D927
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0034D9AA
                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 0034D9C6
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 0034DA07
                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0034DA21
                                                • Part of subcall function 002D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00337896,?,?,00000000), ref: 002D5A2C
                                                • Part of subcall function 002D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00337896,?,?,00000000,?,?), ref: 002D5A50
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                              • String ID:
                                              • API String ID: 327935632-0
                                              • Opcode ID: 377e05551fbaa9209aa6e7175249b264d3d464851f4256119536bf459a984a03
                                              • Instruction ID: 6fde87a57ab257ed4e43ee2e3f5a91b7560732c1081ebfc6ede4e5d699ef4841
                                              • Opcode Fuzzy Hash: 377e05551fbaa9209aa6e7175249b264d3d464851f4256119536bf459a984a03
                                              • Instruction Fuzzy Hash: 37513835A00619DFCB01EFA8C4849ADB7F8FF09324B158066E859AB322D730ED55CF90
                                              Function 0033E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0033E61F
                                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0033E648
                                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0033E687
                                                • Part of subcall function 002D9837: __itow.LIBCMT ref: 002D9862
                                                • Part of subcall function 002D9837: __swprintf.LIBCMT ref: 002D98AC
                                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0033E6AC
                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0033E6B4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                              • String ID:
                                              • API String ID: 1389676194-0
                                              • Opcode ID: 93441ecafc0a8463a887fa9d64f46a1f0d45843699f1517a93da9db6431edb2b
                                              • Instruction ID: ed341a9a5d25a34143f9317e0c0702bb3da17b71c5f55ebe84575d2ae42fee50
                                              • Opcode Fuzzy Hash: 93441ecafc0a8463a887fa9d64f46a1f0d45843699f1517a93da9db6431edb2b
                                              • Instruction Fuzzy Hash: CC51E775A10205DFCB01EF64C981AAEBBF5EF09314F1484A9E949AB362CB31ED51DF50
                                              Function 0035A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: dd0030a89505e840cd64fcc8849231a3c3c68d7b46b59a0a36fe738f77433a2a
                                              • Instruction ID: 984b2865391988464b5a899a393020d314ec3b11a5055480f2a6016f1bf0d344
                                              • Opcode Fuzzy Hash: dd0030a89505e840cd64fcc8849231a3c3c68d7b46b59a0a36fe738f77433a2a
                                              • Instruction Fuzzy Hash: 0641A435904A04AFD712DF24CC48FA9BBA8EB09312F160365FD16A72F1CB309E49FA51
                                              Function 002D2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCursorPos.USER32(?), ref: 002D2357
                                              • ScreenToClient.USER32(003957B0,?), ref: 002D2374
                                              • GetAsyncKeyState.USER32(00000001), ref: 002D2399
                                              • GetAsyncKeyState.USER32(00000002), ref: 002D23A7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AsyncState$ClientCursorScreen
                                              • String ID:
                                              • API String ID: 4210589936-0
                                              • Opcode ID: 58c8fe240fc8ee7afeb79537296cd29b2b2dec82335b7e05aae94b2abd339dec
                                              • Instruction ID: f671d4f28f54a285eeb6e874976824af6eec76221b9947fda462b2304e6e64e7
                                              • Opcode Fuzzy Hash: 58c8fe240fc8ee7afeb79537296cd29b2b2dec82335b7e05aae94b2abd339dec
                                              • Instruction Fuzzy Hash: EE416E75614206FFCF169F68C844AE9BB78FB15360F20435AF829962E0C7349DA4DF91
                                              Function 003263AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003263E7
                                              • TranslateAcceleratorW.USER32(?,?,?), ref: 00326433
                                              • TranslateMessage.USER32(?), ref: 0032645C
                                              • DispatchMessageW.USER32(?), ref: 00326466
                                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00326475
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Message$PeekTranslate$AcceleratorDispatch
                                              • String ID:
                                              • API String ID: 2108273632-0
                                              • Opcode ID: 78a2b21ebebd1f67b9d9dd5c52cd519be542404b8a1c6f10c3a5f373e243c0f3
                                              • Instruction ID: c837728342234ec5a749c35722981101e80c7836111897c677e7d9eba167abad
                                              • Opcode Fuzzy Hash: 78a2b21ebebd1f67b9d9dd5c52cd519be542404b8a1c6f10c3a5f373e243c0f3
                                              • Instruction Fuzzy Hash: CA31E831A00666EFDB27DFB1EC46BB67BACAF01300F150566E5A1C31B1E7359885D760
                                              Function 00328A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 00328A30
                                              • PostMessageW.USER32(?,00000201,00000001), ref: 00328ADA
                                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00328AE2
                                              • PostMessageW.USER32(?,00000202,00000000), ref: 00328AF0
                                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00328AF8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessagePostSleep$RectWindow
                                              • String ID:
                                              • API String ID: 3382505437-0
                                              • Opcode ID: 3a6935ac50c3fe99cf3b5bb28379b93b7d4119191154a6c1194911bb91299079
                                              • Instruction ID: 3119d86d2fb5b68e9472fb171f92c933b3ca1adec6b8bb1f1e337b527a7635fb
                                              • Opcode Fuzzy Hash: 3a6935ac50c3fe99cf3b5bb28379b93b7d4119191154a6c1194911bb91299079
                                              • Instruction Fuzzy Hash: 5A31C271501229EFDF15CF68E94CA9E7BB5FB04316F104229F925E71D0CBB09914DB90
                                              Function 0032B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 0032B204
                                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0032B221
                                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0032B259
                                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0032B27F
                                              • _wcsstr.LIBCMT ref: 0032B289
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                              • String ID:
                                              • API String ID: 3902887630-0
                                              • Opcode ID: e77f30d98e7655c5289e50a428b9c0caffbdb347c2502fe856204f6ae14b6866
                                              • Instruction ID: 08f8c2b694f4cbccfcb822e9773f70a2b850fa483a983eb6de04ce074f4ac48e
                                              • Opcode Fuzzy Hash: e77f30d98e7655c5289e50a428b9c0caffbdb347c2502fe856204f6ae14b6866
                                              • Instruction Fuzzy Hash: 13212532204314BBEB169B75EC49E7FFB9CDF49750F004039F804CA162EB61DC4096A0
                                              Function 0035B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D2612: GetWindowLongW.USER32(?,000000EB), ref: 002D2623
                                              • GetWindowLongW.USER32(?,000000F0), ref: 0035B192
                                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0035B1B7
                                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0035B1CF
                                              • GetSystemMetrics.USER32(00000004), ref: 0035B1F8
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00340E90,00000000), ref: 0035B216
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$Long$MetricsSystem
                                              • String ID:
                                              • API String ID: 2294984445-0
                                              • Opcode ID: a729f010fbdb90f1c07335ea0b9051342334cb455a86a44135561d5dc8b10b1a
                                              • Instruction ID: 1b2e1b29378c2c06d973b0c90ca72d43f7bac33df8ed9e48aa65422be2bc33e5
                                              • Opcode Fuzzy Hash: a729f010fbdb90f1c07335ea0b9051342334cb455a86a44135561d5dc8b10b1a
                                              • Instruction Fuzzy Hash: 0C219171A14655AFCB129F38DC18E6AB7A8FB05362F124B29FD32D71F0E73099548B90
                                              Function 00329307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00329320
                                                • Part of subcall function 002D7BCC: _memmove.LIBCMT ref: 002D7C06
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00329352
                                              • __itow.LIBCMT ref: 0032936A
                                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00329392
                                              • __itow.LIBCMT ref: 003293A3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$__itow$_memmove
                                              • String ID:
                                              • API String ID: 2983881199-0
                                              • Opcode ID: 765695e535fe5fc5d0db5364a36c0516b5fe8bc94683b7a77e795ec77ef4cad1
                                              • Instruction ID: f15140d3c53cf9168b2d7984c7632fc14916a8cfca03430576de71bf037656de
                                              • Opcode Fuzzy Hash: 765695e535fe5fc5d0db5364a36c0516b5fe8bc94683b7a77e795ec77ef4cad1
                                              • Instruction Fuzzy Hash: A921D735700218AFDB12EA64AC85FEE7BADEB48710F044027FE05DB2D1D6B0CD558BA1
                                              Function 00345A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindow.USER32(00000000), ref: 00345A6E
                                              • GetForegroundWindow.USER32 ref: 00345A85
                                              • GetDC.USER32(00000000), ref: 00345AC1
                                              • GetPixel.GDI32(00000000,?,00000003), ref: 00345ACD
                                              • ReleaseDC.USER32(00000000,00000003), ref: 00345B08
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$ForegroundPixelRelease
                                              • String ID:
                                              • API String ID: 4156661090-0
                                              • Opcode ID: aeff0efe8456c833891e27be8a50d9951cbfd0a3445e0b8758a222523d4ac176
                                              • Instruction ID: 60a84e409e5dc4a5b528d88c4a577d0d277222d21dc48a53ad6efd536b558d4a
                                              • Opcode Fuzzy Hash: aeff0efe8456c833891e27be8a50d9951cbfd0a3445e0b8758a222523d4ac176
                                              • Instruction Fuzzy Hash: 59218135A00604AFD715EF65DC88AAABBE9EF48351F148479F849DB362CB70ED40CB90
                                              Function 002D12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                              Download Yara Rule
                                              APIs
                                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 002D134D
                                              • SelectObject.GDI32(?,00000000), ref: 002D135C
                                              • BeginPath.GDI32(?), ref: 002D1373
                                              • SelectObject.GDI32(?,00000000), ref: 002D139C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ObjectSelect$BeginCreatePath
                                              • String ID:
                                              • API String ID: 3225163088-0
                                              • Opcode ID: fc311efb6f9494d06a71490de4e08c2588c4be1a9e24f3e1140154c2b634cc6a
                                              • Instruction ID: a52e168ad66b0ff356b5764a2f1e60681878fa2ac8d6102f855dc1810e1cf22c
                                              • Opcode Fuzzy Hash: fc311efb6f9494d06a71490de4e08c2588c4be1a9e24f3e1140154c2b634cc6a
                                              • Instruction Fuzzy Hash: 97214C30915709EFDB139F29DC087697BACEB10322F184257E810966B0D7729DE1DF90
                                              Function 00334A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThreadId.KERNEL32 ref: 00334ABA
                                              • __beginthreadex.LIBCMT ref: 00334AD8
                                              • MessageBoxW.USER32(?,?,?,?), ref: 00334AED
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00334B03
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00334B0A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                              • String ID:
                                              • API String ID: 3824534824-0
                                              • Opcode ID: ea8e73a9cf75810fc5dcb3923a538055d193a08297280c824fd5f0e16f4382a5
                                              • Instruction ID: a92277d9c5544a84a5b359d7b3c2245904c40ad72a76e27a098f3ed32f808401
                                              • Opcode Fuzzy Hash: ea8e73a9cf75810fc5dcb3923a538055d193a08297280c824fd5f0e16f4382a5
                                              • Instruction Fuzzy Hash: E8110476905609BFC7039FA8EC48AABBFACEB45321F14426AF854D3260D671D9408BA0
                                              Function 00328202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0032821E
                                              • GetLastError.KERNEL32(?,00327CE2,?,?,?), ref: 00328228
                                              • GetProcessHeap.KERNEL32(00000008,?,?,00327CE2,?,?,?), ref: 00328237
                                              • RtlAllocateHeap.NTDLL(00000000,?,00327CE2), ref: 0032823E
                                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00328255
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 883493501-0
                                              • Opcode ID: 6672027731d2a28e76b7ab06a355004a06fea0ddb58c912c2503d7d7693cdae4
                                              • Instruction ID: 03239eb1437a6c05e3d1aba7d81362882855390136b5f830a95c5148891579d8
                                              • Opcode Fuzzy Hash: 6672027731d2a28e76b7ab06a355004a06fea0ddb58c912c2503d7d7693cdae4
                                              • Instruction Fuzzy Hash: 73016D71202714FFDB224FA5EC48D6B7BACEF8A755B500869F809C3220DA318D00CA60
                                              Function 0032710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CLSIDFromProgID.COMBASE ref: 00327127
                                              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00327142
                                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00327044,80070057,?,?), ref: 00327150
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00327160
                                              • CLSIDFromString.COMBASE(?,?), ref: 0032716C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: From$Prog$FreeStringTasklstrcmpi
                                              • String ID:
                                              • API String ID: 3897988419-0
                                              • Opcode ID: 7f213211689c9ddfbea918e85616eb6e79be949f8d971bcc8e2f383d779470ca
                                              • Instruction ID: 555ee8d6d7a5e088b7cb25253e20eb5648738bcf21b7792debfdc45b701567ad
                                              • Opcode Fuzzy Hash: 7f213211689c9ddfbea918e85616eb6e79be949f8d971bcc8e2f383d779470ca
                                              • Instruction Fuzzy Hash: E8018F76A01324BFDB124F64EC44BAA7BADFF44792F150064FD08D2220D731ED509BA0
                                              Function 00335244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00335260
                                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0033526E
                                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00335276
                                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00335280
                                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003352BC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: PerformanceQuery$CounterSleep$Frequency
                                              • String ID:
                                              • API String ID: 2833360925-0
                                              • Opcode ID: b5a8c54d7b17f6cb0cfca3006b9b6a396dac69e7c0132d439b85a88e4c78744c
                                              • Instruction ID: 8e1e035dbca26c7634c108e522d505d95c638d711bf68591077b2fe21e56df1b
                                              • Opcode Fuzzy Hash: b5a8c54d7b17f6cb0cfca3006b9b6a396dac69e7c0132d439b85a88e4c78744c
                                              • Instruction Fuzzy Hash: B0012931D02A1DDBCF02EFE4E8899EEBB7CFB09712F410956E945F21A0CB30565087A1
                                              Function 0032810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00328121
                                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0032812B
                                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0032813A
                                              • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00328141
                                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00328157
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: HeapInformationToken$AllocateErrorLastProcess
                                              • String ID:
                                              • API String ID: 47921759-0
                                              • Opcode ID: 85eef98a7268ca5c6d14275d0313dce4f332f13f5249c9865c8ea81700225bb9
                                              • Instruction ID: fc44b7d796385f376a6a297f4225b447227333b806fa8b7b7e3d952948ae2748
                                              • Opcode Fuzzy Hash: 85eef98a7268ca5c6d14275d0313dce4f332f13f5249c9865c8ea81700225bb9
                                              • Instruction Fuzzy Hash: 92F06275202324AFEB120FA5EC8DE6B3BACFF49755F040025F945C71A0CB61ED51DA60
                                              Function 0032C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003E9), ref: 0032C1F7
                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 0032C20E
                                              • MessageBeep.USER32(00000000), ref: 0032C226
                                              • KillTimer.USER32(?,0000040A), ref: 0032C242
                                              • EndDialog.USER32(?,00000001), ref: 0032C25C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                                              • String ID:
                                              • API String ID: 3741023627-0
                                              • Opcode ID: c09e4de7e07fa301a2ecd28f5f3f8f195c55f79b6a38608de0ec1fc2a46c8573
                                              • Instruction ID: 495da2ea4c41412577e6a7da57b3a69324b8a694b4af1b420f23d0558ae7b44d
                                              • Opcode Fuzzy Hash: c09e4de7e07fa301a2ecd28f5f3f8f195c55f79b6a38608de0ec1fc2a46c8573
                                              • Instruction Fuzzy Hash: 990167305147149BEB226B64ED4EF9677BCBF00706F000669A582914F1DBE469549B91
                                              Function 002D13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              • EndPath.GDI32(?), ref: 002D13BF
                                              • StrokeAndFillPath.GDI32(?,?,0030B888,00000000,?), ref: 002D13DB
                                              • SelectObject.GDI32(?,00000000), ref: 002D13EE
                                              • DeleteObject.GDI32 ref: 002D1401
                                              • StrokePath.GDI32(?), ref: 002D141C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Path$ObjectStroke$DeleteFillSelect
                                              • String ID:
                                              • API String ID: 2625713937-0
                                              • Opcode ID: d3a862a5f7d28e88af25016783ddd8579d78d357ffc7bac4a6f8a42b28a84ea9
                                              • Instruction ID: 5398de9866c222f91023703705a041409cadd523fced45ee6db134a66bb5e3c5
                                              • Opcode Fuzzy Hash: d3a862a5f7d28e88af25016783ddd8579d78d357ffc7bac4a6f8a42b28a84ea9
                                              • Instruction Fuzzy Hash: 52F0C93011AB09EFDB136F26EC4C7583BACAB01326F088226E429995F1C73249E5DF50
                                              Function 00328992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0032899D
                                              • CloseHandle.KERNEL32(?), ref: 003289B2
                                              • CloseHandle.KERNEL32(?), ref: 003289BA
                                              • GetProcessHeap.KERNEL32(00000000,?), ref: 003289C3
                                              • HeapFree.KERNEL32(00000000), ref: 003289CA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                              • String ID:
                                              • API String ID: 3751786701-0
                                              • Opcode ID: 4800d3ac80e4ac3cbbdd065127f1a177c65bbdf445cec665eba88929edc22485
                                              • Instruction ID: 7d37aa3dda478f375b9e5c3e90047bff58e0fcffe95c71fa3dfd338e4c238129
                                              • Opcode Fuzzy Hash: 4800d3ac80e4ac3cbbdd065127f1a177c65bbdf445cec665eba88929edc22485
                                              • Instruction Fuzzy Hash: 76E05276105605FFDA022FE5EC0C95ABB6DFB89763B508631F21981470CB32A561DB90
                                              Function 0033C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 0033C432
                                              • CoCreateInstance.COMBASE(00362D6C,00000000,00000001,00362BDC,?), ref: 0033C44A
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                              • CoUninitialize.COMBASE ref: 0033C6B7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CreateInitializeInstanceUninitialize_memmove
                                              • String ID: .lnk
                                              • API String ID: 2683427295-24824748
                                              • Opcode ID: ceb76c4d1253fbcb5c37642e0f7d872c5706c1a183672b2a020005548c16e67b
                                              • Instruction ID: 51703af1d9d5b840d23f7580fc20bf24b70d039fa76780043c9a39526868fde9
                                              • Opcode Fuzzy Hash: ceb76c4d1253fbcb5c37642e0f7d872c5706c1a183672b2a020005548c16e67b
                                              • Instruction Fuzzy Hash: E0A15A71114205AFD301EF54C881EABB7E8EF84314F00492DF5959B2A2EB71EE59CFA2
                                              Function 002E2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002F0DB6: std::exception::exception.LIBCMT ref: 002F0DEC
                                                • Part of subcall function 002F0DB6: __CxxThrowException@8.LIBCMT ref: 002F0E01
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                                • Part of subcall function 002D7A51: _memmove.LIBCMT ref: 002D7AAB
                                              • __swprintf.LIBCMT ref: 002E2ECD
                                              Strings
                                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 002E2D66
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                              • API String ID: 1943609520-557222456
                                              • Opcode ID: 35dae7cc159793e551f56bdd395585deeec4f2944a5dcc27282b51eda7d21642
                                              • Instruction ID: 89e1a144fa4d504f43018e04968546cd24c256384537954cf8631f1c0f09f31a
                                              • Opcode Fuzzy Hash: 35dae7cc159793e551f56bdd395585deeec4f2944a5dcc27282b51eda7d21642
                                              • Instruction Fuzzy Hash: D6919E71128255DFC718EF25C896CAEB7A8EF49310F44491EF4869B2A1EA30ED58CB52
                                              Function 0033B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,002D4743,?,?,002D37AE,?), ref: 002D4770
                                              • CoInitialize.OLE32(00000000), ref: 0033B9BB
                                              • CoCreateInstance.COMBASE(00362D6C,00000000,00000001,00362BDC,?), ref: 0033B9D4
                                              • CoUninitialize.COMBASE ref: 0033B9F1
                                                • Part of subcall function 002D9837: __itow.LIBCMT ref: 002D9862
                                                • Part of subcall function 002D9837: __swprintf.LIBCMT ref: 002D98AC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                              • String ID: .lnk
                                              • API String ID: 2126378814-24824748
                                              • Opcode ID: cbafb74d7a2ccf633ab34a11a897430e1f29b944bf57818f974b354fcb34438c
                                              • Instruction ID: 8ace5ee884c79a3aa341aee64824cb529d142327477c1d3b966fc98351e0372c
                                              • Opcode Fuzzy Hash: cbafb74d7a2ccf633ab34a11a897430e1f29b944bf57818f974b354fcb34438c
                                              • Instruction Fuzzy Hash: 4DA153756043059FCB01EF14C884D6ABBE5FF89314F058989F99A9B3A1CB31EC85CB91
                                              Function 0032B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleSetContainedObject.OLE32(?,00000001), ref: 0032B4BE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ContainedObject
                                              • String ID: AutoIt3GUI$Container$%6
                                              • API String ID: 3565006973-1037786575
                                              • Opcode ID: 189e0d6c35afd60817ddecb7e4d7402f401018f2f81a68dc8018d2396800ed00
                                              • Instruction ID: d642cbf3371da261485442ccc7debc6d2fa6a949ebefa63f7b64192387dbc2bd
                                              • Opcode Fuzzy Hash: 189e0d6c35afd60817ddecb7e4d7402f401018f2f81a68dc8018d2396800ed00
                                              • Instruction Fuzzy Hash: 8C916774200711AFDB15DF28D884B6ABBE9FF49700F20856EE94ACF6A1DB70E841CB50
                                              Function 002F501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                              Download Yara Rule
                                              APIs
                                              • __startOneArgErrorHandling.LIBCMT ref: 002F50AD
                                                • Part of subcall function 003000F0: __87except.LIBCMT ref: 0030012B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ErrorHandling__87except__start
                                              • String ID: pow
                                              • API String ID: 2905807303-2276729525
                                              • Opcode ID: f0c889d077fa7ea44a7c23b43d6ae129e2742b13871a6d95ce2ad55ace954a64
                                              • Instruction ID: 7621f1655d505d143047f01853af67d18987f6777cea0b438453c38c0adfd5a2
                                              • Opcode Fuzzy Hash: f0c889d077fa7ea44a7c23b43d6ae129e2742b13871a6d95ce2ad55ace954a64
                                              • Instruction Fuzzy Hash: 5B51907192E90687D71B7B14C82137F6B989B00380F208D7DE6D5862D9DF748DE49A86
                                              Function 00318584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _memmove
                                              • String ID: 3c.$_.
                                              • API String ID: 4104443479-1871209941
                                              • Opcode ID: 28fdadb57a19a6f9ea6f72354d006cb0098b7365818f3e4b8384f70947ace290
                                              • Instruction ID: d3a544f064475c000e9d30f9a94ac00454b043a7b578943a5b8a96f8948ac81c
                                              • Opcode Fuzzy Hash: 28fdadb57a19a6f9ea6f72354d006cb0098b7365818f3e4b8384f70947ace290
                                              • Instruction Fuzzy Hash: C1517E70D00609DFCB29CF69C880AEEB7B1FF49304F158529E85AD7250EB31E9A5CB51
                                              Function 003297F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 003314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00329296,?,?,00000034,00000800,?,00000034), ref: 003314E6
                                              • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0032983F
                                                • Part of subcall function 00331487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003314B1
                                                • Part of subcall function 003313DE: GetWindowThreadProcessId.USER32(?,?), ref: 00331409
                                                • Part of subcall function 003313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0032925A,00000034,?,?,00001004,00000000,00000000), ref: 00331419
                                                • Part of subcall function 003313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0032925A,00000034,?,?,00001004,00000000,00000000), ref: 0033142F
                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003298AC
                                              • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003298F9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                              • String ID: @
                                              • API String ID: 4150878124-2766056989
                                              • Opcode ID: 5206c8d5ed47e29dc6b51a686385d0f60407092c06fc8ed7e382d45996e7d0a4
                                              • Instruction ID: 6c3c07997fb1c954a8c8846ecc0f50a49507e4aa35c00ea09ca1b6f6eb17523a
                                              • Opcode Fuzzy Hash: 5206c8d5ed47e29dc6b51a686385d0f60407092c06fc8ed7e382d45996e7d0a4
                                              • Instruction Fuzzy Hash: 67415F7690121CBFCB11DFA4CD85BDEBBB8EB09300F004099F945B7191DA716E85CBA0
                                              Function 00357946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0035F910,00000000,?,?,?,?), ref: 003579DF
                                              • GetWindowLongW.USER32 ref: 003579FC
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00357A0C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$Long
                                              • String ID: SysTreeView32
                                              • API String ID: 847901565-1698111956
                                              • Opcode ID: eae8c961135bf8490f031ccbdf3e41b6107a4c901f78e2baf6dd9945704f2bc0
                                              • Instruction ID: e94f700f099136d41e838da86583e4e7bc26e20795e71b51969642927aa73273
                                              • Opcode Fuzzy Hash: eae8c961135bf8490f031ccbdf3e41b6107a4c901f78e2baf6dd9945704f2bc0
                                              • Instruction Fuzzy Hash: 8631CD31204206AFDB129E38DC45FEA77A9EF05325F214725F875A32E0D731ED648B60
                                              Function 003573D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00357461
                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00357475
                                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00357499
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window
                                              • String ID: SysMonthCal32
                                              • API String ID: 2326795674-1439706946
                                              • Opcode ID: 41a2cbc4cdd5ff3b2a6e462c6e15526fe25d9a4624b5b193f108b4b3f5348b36
                                              • Instruction ID: 066f96cafeff3287e3eaa86c87bcee28f80d77384d93f9910c8c45c0c7566a60
                                              • Opcode Fuzzy Hash: 41a2cbc4cdd5ff3b2a6e462c6e15526fe25d9a4624b5b193f108b4b3f5348b36
                                              • Instruction Fuzzy Hash: 9A21D372500218BFDF128F55DC46FEA3B69EF48725F120214FE156B1E0DA75AC55CBA0
                                              Function 00356CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00356D3B
                                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00356D4B
                                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00356D70
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$MoveWindow
                                              • String ID: Listbox
                                              • API String ID: 3315199576-2633736733
                                              • Opcode ID: 634176a4be197331093fed4c28ec458a796278b4aecffd3e17400c0e4f43070a
                                              • Instruction ID: 9a4f734afa5b7d182a5d3813f930d002565b5058a351a49ee334d214f9d901df
                                              • Opcode Fuzzy Hash: 634176a4be197331093fed4c28ec458a796278b4aecffd3e17400c0e4f43070a
                                              • Instruction Fuzzy Hash: 0321B032600118BFDF128F54CC46FAB3BBEEB89751F428124F9459B1A0C6719C558BA0
                                              Function 003439E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              • __snwprintf.LIBCMT ref: 00343A66
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __snwprintf_memmove
                                              • String ID: , $$AUTOITCALLVARIABLE%d$%6
                                              • API String ID: 3506404897-523069745
                                              • Opcode ID: 0cb3fdd36baa2c4c8f555bbab1fb16fae5087e2371af59b0d1277b9864a4e21f
                                              • Instruction ID: 99d306293f90220966404b9cbda76593f14d5d1d4476b4f9ffed69e40ed744af
                                              • Opcode Fuzzy Hash: 0cb3fdd36baa2c4c8f555bbab1fb16fae5087e2371af59b0d1277b9864a4e21f
                                              • Instruction Fuzzy Hash: 64216F31654219AECF12EF64CC82AAE77B5AF44700F500496F545AB281DB34EE55CBA1
                                              Function 0035770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00357772
                                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00357787
                                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00357794
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: msctls_trackbar32
                                              • API String ID: 3850602802-1010561917
                                              • Opcode ID: c17e3b899213ea8bd852b634cd5fd0822e3deb02f1e6cd679039bc10735573de
                                              • Instruction ID: 01263758654648fc52b596560e11421c4a77a7b83218118e3bab12d845bdda98
                                              • Opcode Fuzzy Hash: c17e3b899213ea8bd852b634cd5fd0822e3deb02f1e6cd679039bc10735573de
                                              • Instruction Fuzzy Hash: 82112772200208BEEF225F60EC05FEB77ADEF88B55F020119FA41960A0D272E811CB10
                                              Function 002F6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __calloc_crt
                                              • String ID: 8$@B9
                                              • API String ID: 3494438863-498105667
                                              • Opcode ID: cbe90ce0c813b964adfb27c805caf8740794e5e91930e62097569a84b9662b06
                                              • Instruction ID: b1c1e76fed2406e5d3cdb27fcb55d07f6dccedbf3d94b4a27033ffe658167a0b
                                              • Opcode Fuzzy Hash: cbe90ce0c813b964adfb27c805caf8740794e5e91930e62097569a84b9662b06
                                              • Instruction Fuzzy Hash: C2F0A47522861A8BE7269F64FC55B72E799E7013B4F200837E700EE180EB7188914780
                                              Function 002D4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,002D4AD0), ref: 002D4B45
                                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 002D4B57
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetNativeSystemInfo$kernel32.dll
                                              • API String ID: 2574300362-192647395
                                              • Opcode ID: df142c25e48f269a79f8b4ccc775a4c1cec5973fdbde630fbc2d81741acf1f36
                                              • Instruction ID: e7297860ecbee965a17944286e764a1e360277d986597d1e2ddcae6934197be6
                                              • Opcode Fuzzy Hash: df142c25e48f269a79f8b4ccc775a4c1cec5973fdbde630fbc2d81741acf1f36
                                              • Instruction Fuzzy Hash: 86D01234A10713CFD721AF31D818F4676E8AF15356F11883BD8C6D6260E670D880C654
                                              Function 002D4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,002D4B83,?), ref: 002D4C44
                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 002D4C56
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                              • API String ID: 2574300362-1355242751
                                              • Opcode ID: cafd782744a2cdc9929a35f87e08d636cec3f3339c00388bae30aa41d20f23fb
                                              • Instruction ID: 1ecbf3300f221e1cfc4c1756b33643b2b4bb14ac683e70bee10fbf2ce256fa76
                                              • Opcode Fuzzy Hash: cafd782744a2cdc9929a35f87e08d636cec3f3339c00388bae30aa41d20f23fb
                                              • Instruction Fuzzy Hash: FED01770520B13CFD721AF32D908A4A77E8AF05352F11883BD896D6A70E670D980CA50
                                              Function 002D4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,?,002D4BD0,?,002D4DEF,?,003952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 002D4C11
                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 002D4C23
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                              • API String ID: 2574300362-3689287502
                                              • Opcode ID: 31fd9b9e03623760907f2ae22556ea43d93ec828d5553af38d3f1cfbc4b394db
                                              • Instruction ID: c6f64ecfb4cacdde4604e79cfe27df5ca8de9e7aaea58fed437287422eac45e1
                                              • Opcode Fuzzy Hash: 31fd9b9e03623760907f2ae22556ea43d93ec828d5553af38d3f1cfbc4b394db
                                              • Instruction Fuzzy Hash: BBD0E230521B13CFD721BF71D948A46BAE9AF09752F11C83AD886D6660E6B0D8808A51
                                              Function 00350DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,00351039), ref: 00350DF5
                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00350E07
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: RegDeleteKeyExW$advapi32.dll
                                              • API String ID: 2574300362-4033151799
                                              • Opcode ID: 9c8a5cd2a093b3abc92369107c5fb64ad26a8dbffbaa5e37d1cc359d9da77029
                                              • Instruction ID: 8d4bc987f08803e0ed0971bde31b864ce3ac11e9838f0c98ab74ae1b73292b52
                                              • Opcode Fuzzy Hash: 9c8a5cd2a093b3abc92369107c5fb64ad26a8dbffbaa5e37d1cc359d9da77029
                                              • Instruction Fuzzy Hash: 5ED01770510B22CFD723AF75D809B96B6E9AF05353F268C7ED886D2160E7B1D890CB50
                                              Function 003490E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00348CF4,?,0035F910), ref: 003490EE
                                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00349100
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetModuleHandleExW$kernel32.dll
                                              • API String ID: 2574300362-199464113
                                              • Opcode ID: 18724745984f93ccbc316fc7f1f4eac69c89e5ef1c548e972806894fbbe9f13e
                                              • Instruction ID: 531f128668efd4275ea614f157ec1442b08ae0549ee42ab7111a39cfc709420e
                                              • Opcode Fuzzy Hash: 18724745984f93ccbc316fc7f1f4eac69c89e5ef1c548e972806894fbbe9f13e
                                              • Instruction Fuzzy Hash: 5DD01234510713CFD722AF31D81864776E8AF05352F13883AD986D6560E670D480C790
                                              Function 00311714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: LocalTime__swprintf
                                              • String ID: %.3d$WIN_XPe
                                              • API String ID: 2070861257-2409531811
                                              • Opcode ID: 329de5807844d0fbdded0d3d9c47b51e04f34478cdd966ea9c730e759845916c
                                              • Instruction ID: 68d066b856b241914248c603b34e212486d1a95ef6902ca851a19e73d1bdfb4b
                                              • Opcode Fuzzy Hash: 329de5807844d0fbdded0d3d9c47b51e04f34478cdd966ea9c730e759845916c
                                              • Instruction Fuzzy Hash: 6FD01276815209EAC70A9690988C8F9737CA70C301F140462F702D2680E2618BD4EA21
                                              Function 0032717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 471c808cb1326820d15617ee3f3342ffcc8afb8c2e8d3ca80e98112bbd48fe7b
                                              • Instruction ID: b94581cb3fd7d2239479db09538ed9960105378dac089f27e04c477ed46e47a9
                                              • Opcode Fuzzy Hash: 471c808cb1326820d15617ee3f3342ffcc8afb8c2e8d3ca80e98112bbd48fe7b
                                              • Instruction Fuzzy Hash: BEC1B074A04226EFCB15DFA5D884EAEBBB9FF48304B158598F805EB251D730ED81DB90
                                              Function 0034E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CharLowerBuffW.USER32(?,?), ref: 0034E0BE
                                              • CharLowerBuffW.USER32(?,?), ref: 0034E101
                                                • Part of subcall function 0034D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0034D7C5
                                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0034E301
                                              • _memmove.LIBCMT ref: 0034E314
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: BuffCharLower$AllocVirtual_memmove
                                              • String ID:
                                              • API String ID: 3659485706-0
                                              • Opcode ID: 8054e0a5a21b363d26618ecf4a90b2177bd62ddb7dbfe27100be029a1a76f766
                                              • Instruction ID: 1eb8c1925e9ac394075757bf8c85f768bf0489e08b34ebb5aecdfd4141fa878a
                                              • Opcode Fuzzy Hash: 8054e0a5a21b363d26618ecf4a90b2177bd62ddb7dbfe27100be029a1a76f766
                                              • Instruction Fuzzy Hash: 3DC14371A083019FC715DF28C480A6ABBE4FF89714F14896EF8999B352D771E946CF82
                                              Function 00348093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitialize.OLE32(00000000), ref: 003480C3
                                              • CoUninitialize.COMBASE ref: 003480CE
                                                • Part of subcall function 0032D56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 0032D5D4
                                              • VariantInit.OLEAUT32(?), ref: 003480D9
                                              • VariantClear.OLEAUT32(?), ref: 003483AA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                              • String ID:
                                              • API String ID: 780911581-0
                                              • Opcode ID: ec09d19a18de96a967ff0a89ee45d8b1039a1c56e5b9626b540cef5f324a0c8b
                                              • Instruction ID: d173e808786f116fa17f1b145c807410d30cd315919adff53317e1f78048b6bb
                                              • Opcode Fuzzy Hash: ec09d19a18de96a967ff0a89ee45d8b1039a1c56e5b9626b540cef5f324a0c8b
                                              • Instruction Fuzzy Hash: 5EA147796147019FCB11DF24C481A2EB7E4BF89754F144859F9969B3A1CB30FC45CB82
                                              Function 00327530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                              Download Yara Rule
                                              APIs
                                              • ProgIDFromCLSID.COMBASE(?,00000000), ref: 003276EA
                                              • CoTaskMemFree.COMBASE(00000000), ref: 00327702
                                              • CLSIDFromProgID.COMBASE(?,?), ref: 00327727
                                              • _memcmp.LIBCMT ref: 00327748
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: FromProg$FreeTask_memcmp
                                              • String ID:
                                              • API String ID: 314563124-0
                                              • Opcode ID: 60be9f6be62a6f4694386e3229da2bafe4b77b3f711253ebfd5cc8368ad7be40
                                              • Instruction ID: f654b938d9e94919cc0ee33c95a0e3148af50bf5e72bd08d44a0d50d15a648cd
                                              • Opcode Fuzzy Hash: 60be9f6be62a6f4694386e3229da2bafe4b77b3f711253ebfd5cc8368ad7be40
                                              • Instruction Fuzzy Hash: B9813D75A00119EFCB05DFA8D984EEEB7B9FF89315F204158F505AB250DB71AE06CB60
                                              Function 0032687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Variant$AllocClearCopyInitString
                                              • String ID:
                                              • API String ID: 2808897238-0
                                              • Opcode ID: 5a4b82583b996c73ddab48eb9c95fedc6c8a65e11789b52dac8553cf6e7ecaa2
                                              • Instruction ID: 6a0930b0ae5ccb4b4b18d13e2a3f5f0fcfe7bf0e96586945eb099544282e8bc6
                                              • Opcode Fuzzy Hash: 5a4b82583b996c73ddab48eb9c95fedc6c8a65e11789b52dac8553cf6e7ecaa2
                                              • Instruction Fuzzy Hash: 6E5183B47103519EDB25AF65E8A2A3AB3E9AF45310F20D81FE596DB691DF70DC808B01
                                              Function 003597F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(0146E780,?), ref: 00359863
                                              • ScreenToClient.USER32(00000002,00000002), ref: 00359896
                                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00359903
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$ClientMoveRectScreen
                                              • String ID:
                                              • API String ID: 3880355969-0
                                              • Opcode ID: b6be52fbc501f8d6e4aadb8332e1ef35843c0324a6b951599601bc1204852c68
                                              • Instruction ID: 43b15c2c8e6301798e1509d84bf64d16c9f261a9a3be918e549b2a90e9135507
                                              • Opcode Fuzzy Hash: b6be52fbc501f8d6e4aadb8332e1ef35843c0324a6b951599601bc1204852c68
                                              • Instruction Fuzzy Hash: 38512D34A00209EFCF12CF64C984EAE7BB5FF55361F15815AF8659B2A0D731AD85CB90
                                              Function 00329A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00329AD2
                                              • __itow.LIBCMT ref: 00329B03
                                                • Part of subcall function 00329D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00329DBE
                                              • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00329B6C
                                              • __itow.LIBCMT ref: 00329BC3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend$__itow
                                              • String ID:
                                              • API String ID: 3379773720-0
                                              • Opcode ID: d2bb042ae321f6ea2cadf33b2f91a2750221643076e72651037c1b233ec8408c
                                              • Instruction ID: 0068232dac57c5795205ca7ac6fd8e31de382e6720d41ad1242db94d8a047026
                                              • Opcode Fuzzy Hash: d2bb042ae321f6ea2cadf33b2f91a2750221643076e72651037c1b233ec8408c
                                              • Instruction Fuzzy Hash: 66416074A10318ABDF12EF54E846BFE7BB9EF48750F00006AF905A7291DB749E54CBA1
                                              Function 0033B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0033B89E
                                              • GetLastError.KERNEL32(?,00000000), ref: 0033B8C4
                                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0033B8E9
                                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0033B915
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CreateHardLink$DeleteErrorFileLast
                                              • String ID:
                                              • API String ID: 3321077145-0
                                              • Opcode ID: 3bfa08d1749f7a6e6b9366f6cd70bb968fbc220d870ba38d230f3a7ac45e10af
                                              • Instruction ID: 11586fff0e4ef61adbca4b5f97a35f08d2d7098379f6b79aa0fdd10b37b77fbc
                                              • Opcode Fuzzy Hash: 3bfa08d1749f7a6e6b9366f6cd70bb968fbc220d870ba38d230f3a7ac45e10af
                                              • Instruction Fuzzy Hash: 2E411539A00650DFCB11EF15C485A59BBE5AF4A710F0A8099FD8AAB362CB30FD51DF91
                                              Function 00358851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                              Download Yara Rule
                                              APIs
                                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003588DE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: InvalidateRect
                                              • String ID:
                                              • API String ID: 634782764-0
                                              • Opcode ID: bcc7d6d4e54f3459d030f930edb8dc878f6c763cd866b4f3afdf0dbdd1d39113
                                              • Instruction ID: a4ddbd0407dd266a4fbbc0d95d12053c792d1a4119951fd4d7b69411041ef0d5
                                              • Opcode Fuzzy Hash: bcc7d6d4e54f3459d030f930edb8dc878f6c763cd866b4f3afdf0dbdd1d39113
                                              • Instruction Fuzzy Hash: 9C31C134600108EEEB239B58CC45FB977A9EB05312FA54512FE51F62B1CF31A9489B93
                                              Function 0035AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ClientToScreen.USER32(?,?), ref: 0035AB60
                                              • GetWindowRect.USER32(?,?), ref: 0035ABD6
                                              • PtInRect.USER32(?,?,0035C014), ref: 0035ABE6
                                              • MessageBeep.USER32(00000000), ref: 0035AC57
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Rect$BeepClientMessageScreenWindow
                                              • String ID:
                                              • API String ID: 1352109105-0
                                              • Opcode ID: b8ea72956c508b715c8986974e985c24dd602411c567d8aecedf56c849fd79a5
                                              • Instruction ID: 65d8650a42cd3efd91d446afd70de995313aa2113f4e8dce184acf051bcc7db2
                                              • Opcode Fuzzy Hash: b8ea72956c508b715c8986974e985c24dd602411c567d8aecedf56c849fd79a5
                                              • Instruction Fuzzy Hash: 0E418D30604A19DFCB13DF58C884E697BF9FF49302F1582A9E855DB270D731A845EB92
                                              Function 00330AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00330B27
                                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 00330B43
                                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00330BA9
                                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00330BFB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID:
                                              • API String ID: 432972143-0
                                              • Opcode ID: b42da222b8ee6df10ed5af5c7ee186fb2659df25fe01faa1a11541b19618f637
                                              • Instruction ID: e5af09aa2a06f1d36292e3b1a77352854a9e5d88ee261659eb7c6c042077b497
                                              • Opcode Fuzzy Hash: b42da222b8ee6df10ed5af5c7ee186fb2659df25fe01faa1a11541b19618f637
                                              • Instruction Fuzzy Hash: 68315A70D40318AEFF3B8B298CA5BFAFBA9AB45319F04426AF4D1561D1C375C9809751
                                              Function 00330C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00330C66
                                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 00330C82
                                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 00330CE1
                                              • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00330D33
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: KeyboardState$InputMessagePostSend
                                              • String ID:
                                              • API String ID: 432972143-0
                                              • Opcode ID: de8b9dc12535892db217e54fba314fa22cc8831cf1975ad99c7137bf023e758b
                                              • Instruction ID: 47881b345a22f324c1e0a3837d9b549d247d3874a9f7e1c454b01368512dcbd7
                                              • Opcode Fuzzy Hash: de8b9dc12535892db217e54fba314fa22cc8831cf1975ad99c7137bf023e758b
                                              • Instruction Fuzzy Hash: DF3189309403186EFF3B8B648C647FEBBBAAB45311F04572AE4815A1E1D3399D45C751
                                              Function 003061C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003061FB
                                              • __isleadbyte_l.LIBCMT ref: 00306229
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00306257
                                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0030628D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                              • String ID:
                                              • API String ID: 3058430110-0
                                              • Opcode ID: aa947dea3b41394571772d726550084bb62ddc59bf84ec281cfd958bbcab65d0
                                              • Instruction ID: f73605285337a33bd38de53fe6fa5ca413159c68b3bc3a74872198ee64316f7f
                                              • Opcode Fuzzy Hash: aa947dea3b41394571772d726550084bb62ddc59bf84ec281cfd958bbcab65d0
                                              • Instruction Fuzzy Hash: 1631CF3060224AAFDF228F64CC56BBA7BADFF41310F164828E824871E5D730E960DB90
                                              Function 00354EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32 ref: 00354F02
                                                • Part of subcall function 00333641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0033365B
                                                • Part of subcall function 00333641: GetCurrentThreadId.KERNEL32 ref: 00333662
                                                • Part of subcall function 00333641: AttachThreadInput.USER32(00000000,?,00335005), ref: 00333669
                                              • GetCaretPos.USER32(?), ref: 00354F13
                                              • ClientToScreen.USER32(00000000,?), ref: 00354F4E
                                              • GetForegroundWindow.USER32 ref: 00354F54
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                              • String ID:
                                              • API String ID: 2759813231-0
                                              • Opcode ID: 108c39cb1d3f31a075ddb2e27df08fd3842db5d7566bbff1936147d7fecaeb8f
                                              • Instruction ID: 66eb95a07da1d3de2691e181f543b7e0073f8cf5e04a6025da69e149066f9fdd
                                              • Opcode Fuzzy Hash: 108c39cb1d3f31a075ddb2e27df08fd3842db5d7566bbff1936147d7fecaeb8f
                                              • Instruction Fuzzy Hash: A1310972900208AFCB01EFA5C8859EEB7FDEF88304F10406AF815E7251EA719E558BA0
                                              Function 00328656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0032810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00328121
                                                • Part of subcall function 0032810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0032812B
                                                • Part of subcall function 0032810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0032813A
                                                • Part of subcall function 0032810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00328141
                                                • Part of subcall function 0032810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00328157
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003286A3
                                              • _memcmp.LIBCMT ref: 003286C6
                                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003286FC
                                              • HeapFree.KERNEL32(00000000), ref: 00328703
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                              • String ID:
                                              • API String ID: 2182266621-0
                                              • Opcode ID: 852c77ad5fb291d72ad30cafdba1e1c96d4d9611c7bbc07185c8edd3ed44c899
                                              • Instruction ID: 6da275d084edf82228f5ca0eb12ae0aec6ead1de75a2fe782d3c872d8a170192
                                              • Opcode Fuzzy Hash: 852c77ad5fb291d72ad30cafdba1e1c96d4d9611c7bbc07185c8edd3ed44c899
                                              • Instruction Fuzzy Hash: 7F21D031E02218EFDB11DFA8D948BEEB7B8FF50315F158059E905AB280DB30AE05CB90
                                              Function 002F098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                              Download Yara Rule
                                              APIs
                                              • __setmode.LIBCMT ref: 002F09AE
                                                • Part of subcall function 002D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00337896,?,?,00000000), ref: 002D5A2C
                                                • Part of subcall function 002D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00337896,?,?,00000000,?,?), ref: 002D5A50
                                              • _fprintf.LIBCMT ref: 002F09E5
                                              • OutputDebugStringW.KERNEL32(?), ref: 00325DBB
                                                • Part of subcall function 002F4AAA: _flsall.LIBCMT ref: 002F4AC3
                                              • __setmode.LIBCMT ref: 002F0A1A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                              • String ID:
                                              • API String ID: 521402451-0
                                              • Opcode ID: 3bf32af28d9a52a22d49f3e4d2709fa96a659dfbecf7cec36d4d423d12b4be2c
                                              • Instruction ID: 7efc73e4bcf2bc9656520ce302fbd783d919d12caa714164f1e0325f0d2a8938
                                              • Opcode Fuzzy Hash: 3bf32af28d9a52a22d49f3e4d2709fa96a659dfbecf7cec36d4d423d12b4be2c
                                              • Instruction Fuzzy Hash: 9211273192461C6FDB05B7B4AC869BEF76C9F453A0F240026F30497283EEB04DA25BA4
                                              Function 00341767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003417A3
                                                • Part of subcall function 0034182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0034184C
                                                • Part of subcall function 0034182D: InternetCloseHandle.WININET(00000000), ref: 003418E9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Internet$CloseConnectHandleOpen
                                              • String ID:
                                              • API String ID: 1463438336-0
                                              • Opcode ID: c0db7a845565b305b9bf313c7d6ee93324fcbedb0124f88e3851d53886f65bd9
                                              • Instruction ID: 1221454de2bfcb7bff144106cd6eaf1269ec2e47b1ffb34428baec1f032b69c0
                                              • Opcode Fuzzy Hash: c0db7a845565b305b9bf313c7d6ee93324fcbedb0124f88e3851d53886f65bd9
                                              • Instruction Fuzzy Hash: D5218E35200A05BFEB139F60DC01BBABBEDFB48751F10412AFA519A660DB71A85197A0
                                              Function 00333A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNEL32(?,0035FAC0), ref: 00333A64
                                              • GetLastError.KERNEL32 ref: 00333A73
                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 00333A82
                                              • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0035FAC0), ref: 00333ADF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CreateDirectory$AttributesErrorFileLast
                                              • String ID:
                                              • API String ID: 2267087916-0
                                              • Opcode ID: 1d4ea2a3d1105fc5b74489acb1d6d529d61c8755906ee1eead728f7a8d0ac3ca
                                              • Instruction ID: 476e7d48c1f59128a17b59e2078fb92ee951bf9d43b6b19c06dc1d400f7a63e4
                                              • Opcode Fuzzy Hash: 1d4ea2a3d1105fc5b74489acb1d6d529d61c8755906ee1eead728f7a8d0ac3ca
                                              • Instruction Fuzzy Hash: 3F2183745083059F8311DF28C8858AAB7E8EF55365F108A2EF499C72A1E731DE49CF82
                                              Function 003050E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00305101
                                                • Part of subcall function 002F571C: __FF_MSGBANNER.LIBCMT ref: 002F5733
                                                • Part of subcall function 002F571C: __NMSG_WRITE.LIBCMT ref: 002F573A
                                                • Part of subcall function 002F571C: RtlAllocateHeap.NTDLL(01450000,00000000,00000001), ref: 002F575F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: AllocateHeap_free
                                              • String ID:
                                              • API String ID: 614378929-0
                                              • Opcode ID: 900e4c32ac8ca20b68cc1310483f0e5fdea5f26bf7bdc589fb4f49a620636bfb
                                              • Instruction ID: 3216692991662fa5e6cf0b3873dc271d12978e16eb9321a505e5e870f3ccf053
                                              • Opcode Fuzzy Hash: 900e4c32ac8ca20b68cc1310483f0e5fdea5f26bf7bdc589fb4f49a620636bfb
                                              • Instruction Fuzzy Hash: 6911C172516A19AEDF272F74EC1577FB79C9B003A1F11093AFA44962A0DE3088508F90
                                              Function 003285B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003285E2
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 003285E9
                                              • CloseHandle.KERNEL32(00000004), ref: 00328603
                                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00328632
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                              • String ID:
                                              • API String ID: 2621361867-0
                                              • Opcode ID: 0bdae6894c3b3dec0c93c702438a441430dfd0f6f253383c2d6fc141b4b468fe
                                              • Instruction ID: 4f7ab808e6ab0c5ee1e0d4541168a11acfbced43fb37a69c4e3e70d8a324cda9
                                              • Opcode Fuzzy Hash: 0bdae6894c3b3dec0c93c702438a441430dfd0f6f253383c2d6fc141b4b468fe
                                              • Instruction Fuzzy Hash: 731159B2501209AFDF028FA4ED49BEE7BADEF08345F154064FE04A21A0C7729D60EB60
                                              Function 00346369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00337896,?,?,00000000), ref: 002D5A2C
                                                • Part of subcall function 002D5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00337896,?,?,00000000,?,?), ref: 002D5A50
                                              • gethostbyname.WS2_32(?), ref: 00346399
                                              • WSAGetLastError.WS2_32(00000000), ref: 003463A4
                                              • _memmove.LIBCMT ref: 003463D1
                                              • inet_ntoa.WS2_32(?), ref: 003463DC
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                              • String ID:
                                              • API String ID: 1504782959-0
                                              • Opcode ID: 66af92e4b5412d296f59a51ed03895df3be505c27f73e1bfaffdd09a7458e56a
                                              • Instruction ID: 8a542193573534f16979d27b7505215c5b181c7996be284308d05bf8ad26ee6f
                                              • Opcode Fuzzy Hash: 66af92e4b5412d296f59a51ed03895df3be505c27f73e1bfaffdd09a7458e56a
                                              • Instruction Fuzzy Hash: 3A116036510109AFCB01FFA4DD86CEEB7BCAF09311B144066F506AB261DB30AE14DFA1
                                              Function 00328B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,000000B0,?,?), ref: 00328B61
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00328B73
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00328B89
                                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00328BA4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 21f4107655deae1cb3eace835f98065a916c5ebee2071584cdf1a3e903bed314
                                              • Instruction ID: 5770586bbc73cc7a8f49f1feddd83284572ff7157dc9d67c623656bdc95f6770
                                              • Opcode Fuzzy Hash: 21f4107655deae1cb3eace835f98065a916c5ebee2071584cdf1a3e903bed314
                                              • Instruction Fuzzy Hash: F0112E79901218FFDB11DF95CC85F9DBBB8FB48710F204095E900B7250DA716E11DB94
                                              Function 0032D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0032D84D
                                              • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0032D864
                                              • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0032D879
                                              • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0032D897
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Type$Register$FileLoadModuleNameUser
                                              • String ID:
                                              • API String ID: 1352324309-0
                                              • Opcode ID: cfd8597a6f495f722d81b487807e7349fcce8f159735a77375d587401883e7c8
                                              • Instruction ID: 7874f0f743f84992f16f7e1baec867f68ac1bd064304b4b677a0f6e18eb3f7b4
                                              • Opcode Fuzzy Hash: cfd8597a6f495f722d81b487807e7349fcce8f159735a77375d587401883e7c8
                                              • Instruction Fuzzy Hash: 6C116DB5605324EFE3228F51EC08F93BBFCEB00B00F108569AA56D6450D7B0E949DBA1
                                              Function 00306FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                              • String ID:
                                              • API String ID: 3016257755-0
                                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                              • Instruction ID: 671882dc17272e4b48ece7a22da3ddebc6bd45ac80629551c3c4e0e3a3937905
                                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                              • Instruction Fuzzy Hash: 1F014C7284A14EBBCF175F84CC21CEE3F66BB18394F598515FE18580B1D236E9B1AB81
                                              Function 0035B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowRect.USER32(?,?), ref: 0035B2E4
                                              • ScreenToClient.USER32(?,?), ref: 0035B2FC
                                              • ScreenToClient.USER32(?,?), ref: 0035B320
                                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0035B33B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ClientRectScreen$InvalidateWindow
                                              • String ID:
                                              • API String ID: 357397906-0
                                              • Opcode ID: 1c042699668b6879805d14b5fd1ef5b6ad96cff3f392e5059f9ffba8e10582b2
                                              • Instruction ID: 503929e6bb4ccd68d9f607eb7e8498c926d146104d0d56eb326ba74b26bae01f
                                              • Opcode Fuzzy Hash: 1c042699668b6879805d14b5fd1ef5b6ad96cff3f392e5059f9ffba8e10582b2
                                              • Instruction Fuzzy Hash: AB1143B9D00209EFDB41CFA9C8849EEFBB9FB08311F108166E914E3220D735AA558F50
                                              Function 00336BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • RtlEnterCriticalSection.NTDLL(?), ref: 00336BE6
                                                • Part of subcall function 003376C4: _memset.LIBCMT ref: 003376F9
                                              • _memmove.LIBCMT ref: 00336C09
                                              • _memset.LIBCMT ref: 00336C16
                                              • RtlLeaveCriticalSection.NTDLL(?), ref: 00336C26
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CriticalSection_memset$EnterLeave_memmove
                                              • String ID:
                                              • API String ID: 48991266-0
                                              • Opcode ID: 039c87ebc045c9a9030af78357320d65f8884ca64396a6fd57070cc90942fe7c
                                              • Instruction ID: d7bc991a922494e1ad928061251625420f393f14e5892e26f0bd90955cb17523
                                              • Opcode Fuzzy Hash: 039c87ebc045c9a9030af78357320d65f8884ca64396a6fd57070cc90942fe7c
                                              • Instruction Fuzzy Hash: 4DF0F47E100204ABCF026F55DCC5A5ABB29EF45361F048065FE095E267DB31E911DBB4
                                              Function 002D2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSysColor.USER32(00000008), ref: 002D2231
                                              • SetTextColor.GDI32(?,000000FF), ref: 002D223B
                                              • SetBkMode.GDI32(?,00000001), ref: 002D2250
                                              • GetStockObject.GDI32(00000005), ref: 002D2258
                                              • GetWindowDC.USER32(?,00000000), ref: 0030BE83
                                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 0030BE90
                                              • GetPixel.GDI32(00000000,?,00000000), ref: 0030BEA9
                                              • GetPixel.GDI32(00000000,00000000,?), ref: 0030BEC2
                                              • GetPixel.GDI32(00000000,?,?), ref: 0030BEE2
                                              • ReleaseDC.USER32(?,00000000), ref: 0030BEED
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                              • String ID:
                                              • API String ID: 1946975507-0
                                              • Opcode ID: 3a0ee820df1d63e5edf649e79a5e41a8524e7eb8a9022d2f3207d4a670f0bd6f
                                              • Instruction ID: 9c794090ec6a3c866102c7ca4e8696f9dc3c9d63e933dc09507b5ca3704755ac
                                              • Opcode Fuzzy Hash: 3a0ee820df1d63e5edf649e79a5e41a8524e7eb8a9022d2f3207d4a670f0bd6f
                                              • Instruction Fuzzy Hash: 42E03932104644EEDB225F64FC0DBD87B14EB15332F008366FA69580F187718A90DB12
                                              Function 00328712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentThread.KERNEL32 ref: 0032871B
                                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,003282E6), ref: 00328722
                                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003282E6), ref: 0032872F
                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,003282E6), ref: 00328736
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CurrentOpenProcessThreadToken
                                              • String ID:
                                              • API String ID: 3974789173-0
                                              • Opcode ID: 021a8d6f3701aa10733d8cd5830950ae577fe925056ee23a2ec8e2039955b734
                                              • Instruction ID: 927830a9524693aa78e657faff99bbb0d9c06d619deaa45b085654ac4649acd4
                                              • Opcode Fuzzy Hash: 021a8d6f3701aa10733d8cd5830950ae577fe925056ee23a2ec8e2039955b734
                                              • Instruction Fuzzy Hash: 52E086766123219FD7615FB4AD0CB573BBCEF60793F154828B285CA0E0DA348441C750
                                              Function 002D6240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID: %6
                                              • API String ID: 0-3279475170
                                              • Opcode ID: 135f8442730ad06893938b9e4414aff6b590d8353cf52fcfdc74512a0eb900ad
                                              • Instruction ID: 92a1e7e499b6396b42a4ce104cd0b9a9a7e0dd8c9c55c156aaac6be0407595d3
                                              • Opcode Fuzzy Hash: 135f8442730ad06893938b9e4414aff6b590d8353cf52fcfdc74512a0eb900ad
                                              • Instruction Fuzzy Hash: 36B1E67182010A9BCF24EF98C489AFEB7B9FF44310F104067E911A7391EB749EA1CB91
                                              Function 0034AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: __itow_s
                                              • String ID: xb9$xb9
                                              • API String ID: 3653519197-3600463160
                                              • Opcode ID: 2a40d7745ebde0aeaa4a812cfeea7e9549dbea38ccde9e3e41432f344cb7fd65
                                              • Instruction ID: ec4b87e1f2481ed35380b1bc0ef1637a0c177113b326fb55e380cde848635cb5
                                              • Opcode Fuzzy Hash: 2a40d7745ebde0aeaa4a812cfeea7e9549dbea38ccde9e3e41432f344cb7fd65
                                              • Instruction Fuzzy Hash: FEB16C70A00109EFCB15DF54C891EAABBF9EF59300F14845AF9459B292EB71ED85CB60
                                              Function 0033AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002EFC86: _wcscpy.LIBCMT ref: 002EFCA9
                                                • Part of subcall function 002D9837: __itow.LIBCMT ref: 002D9862
                                                • Part of subcall function 002D9837: __swprintf.LIBCMT ref: 002D98AC
                                              • __wcsnicmp.LIBCMT ref: 0033B02D
                                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0033B0F6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                              • String ID: LPT
                                              • API String ID: 3222508074-1350329615
                                              • Opcode ID: 43325d750e8d8291dffa5129c530cc74e258de5ad677f8bd8a61bbd8677f8503
                                              • Instruction ID: 2c051685c92b7af0378bb4f5fcebce33523ecc807ef9968b6558ac82108c6554
                                              • Opcode Fuzzy Hash: 43325d750e8d8291dffa5129c530cc74e258de5ad677f8bd8a61bbd8677f8503
                                              • Instruction Fuzzy Hash: E1618475E10219AFCB19DF94C891EAEF7B4EF08710F11406AFA56AB351D770AE84CB50
                                              Function 002E2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(00000000), ref: 002E2968
                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 002E2981
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: GlobalMemorySleepStatus
                                              • String ID: @
                                              • API String ID: 2783356886-2766056989
                                              • Opcode ID: 820ccc3f5a42863aa9b07be26f1948edd73e1616e0d6a6bc95d420b8eb158050
                                              • Instruction ID: b8e3be0c87e85565845f37bed6488178bc797c9a53781d5e1a9c72eeab6fe9cc
                                              • Opcode Fuzzy Hash: 820ccc3f5a42863aa9b07be26f1948edd73e1616e0d6a6bc95d420b8eb158050
                                              • Instruction Fuzzy Hash: 435147724187449BD321EF10D886BAFBBECFB85344F41885EF2D8811A1DB309979CB66
                                              Function 00339734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D4F0B: __fread_nolock.LIBCMT ref: 002D4F29
                                              • _wcscmp.LIBCMT ref: 00339824
                                              • _wcscmp.LIBCMT ref: 00339837
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: _wcscmp$__fread_nolock
                                              • String ID: FILE
                                              • API String ID: 4029003684-3121273764
                                              • Opcode ID: 23a8904927e139b17454ab1486ec86257110cd92eda52013787b2b004b062f94
                                              • Instruction ID: b0a3ae37e184ee8ca6a7d872e91bc96852e70c81d46caeb24615ffc06e4de256
                                              • Opcode Fuzzy Hash: 23a8904927e139b17454ab1486ec86257110cd92eda52013787b2b004b062f94
                                              • Instruction Fuzzy Hash: C741B671A00209BBDF21ABA0CC85FEFB7BDDF85710F01046AF904BB280DA71AD148B61
                                              Function 00310574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ClearVariant
                                              • String ID: Dd9$Dd9
                                              • API String ID: 1473721057-338371185
                                              • Opcode ID: c15f96b6ff66e2ea75dc9a3d0edf3b8f1e3ba8c6801ed9b1820b1475eb8a8cbb
                                              • Instruction ID: a1c458ee50c8196dfe2b8bdef8e1d48a38460be5921c47bd3358dd50353decdc
                                              • Opcode Fuzzy Hash: c15f96b6ff66e2ea75dc9a3d0edf3b8f1e3ba8c6801ed9b1820b1475eb8a8cbb
                                              • Instruction Fuzzy Hash: E15114786293428FD755CF19C484A1ABBF1BB99350F54881EF8858B361D371EC91CF42
                                              Function 0034258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 0034259E
                                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003425D4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CrackInternet_memset
                                              • String ID: |
                                              • API String ID: 1413715105-2343686810
                                              • Opcode ID: b157adb2360a61446f9fe84cbf82309ada745d4ed084e9b2005b8f7831b4c6a3
                                              • Instruction ID: 7cb8a0f2997aac89c66efd9ff2005dcb0ab9ccf6081a50e8928e4eb2d47bdcfc
                                              • Opcode Fuzzy Hash: b157adb2360a61446f9fe84cbf82309ada745d4ed084e9b2005b8f7831b4c6a3
                                              • Instruction Fuzzy Hash: CF310771811119ABDF01AFA5CC85EEEBFB8FF08354F10006AF914BA262EA355965DF60
                                              Function 00357A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00357B61
                                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00357B76
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: '
                                              • API String ID: 3850602802-1997036262
                                              • Opcode ID: 0e1404dbcbce652d87ca29a53979794268c8c3082457717002727172d1fe55c3
                                              • Instruction ID: 2c654f5e19ff5630e6de417779b97f40232846c4c88d59220ea6d214725283e7
                                              • Opcode Fuzzy Hash: 0e1404dbcbce652d87ca29a53979794268c8c3082457717002727172d1fe55c3
                                              • Instruction Fuzzy Hash: 10412874A0430A9FDB15CF64D880FDABBB9FB08301F11016AED04AB351D770AA55CF90
                                              Function 00356A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(?,?,?,?), ref: 00356B17
                                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00356B53
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$DestroyMove
                                              • String ID: static
                                              • API String ID: 2139405536-2160076837
                                              • Opcode ID: 650950e98566fa52d1376467f0d2a7cdd9f21dc6de4c6b2294522c60c49069fa
                                              • Instruction ID: 20045c4406d9e38cc82dc9ceb0bac76887e3edd609de331f3f978942c9faaac8
                                              • Opcode Fuzzy Hash: 650950e98566fa52d1376467f0d2a7cdd9f21dc6de4c6b2294522c60c49069fa
                                              • Instruction Fuzzy Hash: BF31AD71200604AEDB129F65CC81EFB73ADFF48761F50861AFDA5D71A0DA30AC95CB60
                                              Function 003328A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00332911
                                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0033294C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: InfoItemMenu_memset
                                              • String ID: 0
                                              • API String ID: 2223754486-4108050209
                                              • Opcode ID: 24365f5c5a143ff00aba6e08f4956a81d88fdc3011b3291184fda62591dac2ed
                                              • Instruction ID: 00e36f1f2087c0841434b0608eaa1688954aa9fd3ffefd0b23ce0784637e2536
                                              • Opcode Fuzzy Hash: 24365f5c5a143ff00aba6e08f4956a81d88fdc3011b3291184fda62591dac2ed
                                              • Instruction Fuzzy Hash: D831D231A00309DFEB26CF58CCC5BAFBBB8EF45350F160029E985A61A1D7709954CB51
                                              Function 003566D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00356761
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0035676C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID: Combobox
                                              • API String ID: 3850602802-2096851135
                                              • Opcode ID: 1feb7a38e6cfe7f8135421fefc93791465b78613fba9a4dda076053abc9dbd1f
                                              • Instruction ID: 199d1a9bfd478afe2aebe2787aba1f5fda67f42436e7a1c0ffd6c62d4bc4c7fd
                                              • Opcode Fuzzy Hash: 1feb7a38e6cfe7f8135421fefc93791465b78613fba9a4dda076053abc9dbd1f
                                              • Instruction Fuzzy Hash: 9011B271200208AFEF269F54CC82EBB376EEB48369F510229FD14972A0D631DC5587A0
                                              Function 00356C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 002D1D73
                                                • Part of subcall function 002D1D35: GetStockObject.GDI32(00000011), ref: 002D1D87
                                                • Part of subcall function 002D1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 002D1D91
                                              • GetWindowRect.USER32(00000000,?), ref: 00356C71
                                              • GetSysColor.USER32(00000012), ref: 00356C8B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                                              • String ID: static
                                              • API String ID: 1983116058-2160076837
                                              • Opcode ID: ae6d6208ea1e083408890c80ae1f5a8278df9638fbae9ade45e3673c958dafd7
                                              • Instruction ID: b837dd092b2eed6c06d15d62f907bd5ae7761542bb18211e89ff8b8f8e3dd4f1
                                              • Opcode Fuzzy Hash: ae6d6208ea1e083408890c80ae1f5a8278df9638fbae9ade45e3673c958dafd7
                                              • Instruction Fuzzy Hash: 93211772510209AFDB05DFA8CC46EEA7BA9FB08315F014629FD95D3260E735E864DB60
                                              Function 00356920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowTextLengthW.USER32(00000000), ref: 003569A2
                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003569B1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: LengthMessageSendTextWindow
                                              • String ID: edit
                                              • API String ID: 2978978980-2167791130
                                              • Opcode ID: 98e9c6130f4a15910f1087c4db09a1269c5594031d0394a77fce7b34e1ca6c50
                                              • Instruction ID: a7acb80c717d4dd4fce79abf03a128ba0dd532ce921398a0937a40cecabc7789
                                              • Opcode Fuzzy Hash: 98e9c6130f4a15910f1087c4db09a1269c5594031d0394a77fce7b34e1ca6c50
                                              • Instruction Fuzzy Hash: C1115B71500204ABEB128E64DC42EEB37A9EB06376F914624FDA5971F0C7319C589B60
                                              Function 003329AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _memset.LIBCMT ref: 00332A22
                                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00332A41
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: InfoItemMenu_memset
                                              • String ID: 0
                                              • API String ID: 2223754486-4108050209
                                              • Opcode ID: a113278b7a308e8438ba80ae757919a6ddd1c7987b3b57c4f2817dc48077b693
                                              • Instruction ID: 2fe8badb10dd897e2216c580dd82625aac1bc03c9d0d4c2b76c531f245d5d64c
                                              • Opcode Fuzzy Hash: a113278b7a308e8438ba80ae757919a6ddd1c7987b3b57c4f2817dc48077b693
                                              • Instruction Fuzzy Hash: 9B11B632905114AFDF33DF58DC84BAB77BCAB45310F264021E995E72A0DB70AD0AC791
                                              Function 003421D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0034222C
                                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00342255
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Internet$OpenOption
                                              • String ID: <local>
                                              • API String ID: 942729171-4266983199
                                              • Opcode ID: 0198d5c7d29023b00b9058dc335075a0d733d30d8be243a2fd31f41dbbd001b3
                                              • Instruction ID: 673b61978a8b94d754f94c7a40ca2aeaa9cecb018fed5dfeb23c923891e22ada
                                              • Opcode Fuzzy Hash: 0198d5c7d29023b00b9058dc335075a0d733d30d8be243a2fd31f41dbbd001b3
                                              • Instruction Fuzzy Hash: FF110270501225BEDB268F118C84FFBFBECFF0A351F50862AF905AA400D2B06980D6F0
                                              Function 002E092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,002D3C14,003952F8,?,?,?), ref: 002E096E
                                                • Part of subcall function 002D7BCC: _memmove.LIBCMT ref: 002D7C06
                                              • _wcscat.LIBCMT ref: 00314CB7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: FullNamePath_memmove_wcscat
                                              • String ID: S9
                                              • API String ID: 257928180-715264515
                                              • Opcode ID: 87c3f8118ded1741230982845d3fc3480606604d6925d0d37cb88a0b8d589eba
                                              • Instruction ID: 9057bcf73dc4cc5ecd5b3fa6d02662f6b2c8d6d11a9a224ea5906aca146a1396
                                              • Opcode Fuzzy Hash: 87c3f8118ded1741230982845d3fc3480606604d6925d0d37cb88a0b8d589eba
                                              • Instruction Fuzzy Hash: 1411E534A652089BCB02EFA4C885EDD73F8AF08740B4044A3B948D7282EAB09AD94F10
                                              Function 00328E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                                • Part of subcall function 0032AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0032AABC
                                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00328E73
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: 30c089438aadeff00382824a86a82a5cb43aedbc78a13d20f7fb3e015e1069ea
                                              • Instruction ID: add312b9d2459404f97d7009f77185ce676b3e2c7f7bde810ab445b941a54e72
                                              • Opcode Fuzzy Hash: 30c089438aadeff00382824a86a82a5cb43aedbc78a13d20f7fb3e015e1069ea
                                              • Instruction Fuzzy Hash: 2701F571616239AB8B16EBA4DC528FE7369AF01320B100A5AF871573E1EE315C18C690
                                              Function 00328CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                                • Part of subcall function 0032AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0032AABC
                                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 00328D6B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: 1a91f2f24b86689112879e9edbe1aec07dc83ab81b3beb63f855a8e46b0416f1
                                              • Instruction ID: 04383e74e5d92398efe3d0e3c292078c316a20661d04b39fa6b60ac466d8bd2a
                                              • Opcode Fuzzy Hash: 1a91f2f24b86689112879e9edbe1aec07dc83ab81b3beb63f855a8e46b0416f1
                                              • Instruction Fuzzy Hash: D601F771A41119ABCF16EBA0D952EFF73ADDF15300F20005AB801672E1DE249E1CD6B1
                                              Function 00328D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 002D7DE1: _memmove.LIBCMT ref: 002D7E22
                                                • Part of subcall function 0032AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0032AABC
                                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 00328DEE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ClassMessageNameSend_memmove
                                              • String ID: ComboBox$ListBox
                                              • API String ID: 372448540-1403004172
                                              • Opcode ID: 27f1f93095cd20a6cb3cff1e1dda1210036f47cb5f7d6498f84235df815cb091
                                              • Instruction ID: ec57766252f3c94f9471fb57a9df257622e9b0cb326aa361962959d19fdc80aa
                                              • Opcode Fuzzy Hash: 27f1f93095cd20a6cb3cff1e1dda1210036f47cb5f7d6498f84235df815cb091
                                              • Instruction Fuzzy Hash: 0B01F271A46219ABCB12EBA4D952EFE73AD9F11300F200016B80163292DE258E1CD6B1
                                              Function 0032C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                              Download Yara Rule
                                              APIs
                                              • VariantInit.OLEAUT32(?), ref: 0032C534
                                                • Part of subcall function 0032C816: _memmove.LIBCMT ref: 0032C860
                                                • Part of subcall function 0032C816: VariantInit.OLEAUT32(00000000), ref: 0032C882
                                                • Part of subcall function 0032C816: VariantCopy.OLEAUT32(00000000,?), ref: 0032C88C
                                              • VariantClear.OLEAUT32(?), ref: 0032C556
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Variant$Init$ClearCopy_memmove
                                              • String ID: d}8
                                              • API String ID: 2932060187-34342347
                                              • Opcode ID: 1fb6f87a0337331be37f4227361dd6c54be0235893d47dfbc9eb27ea2598a0bb
                                              • Instruction ID: fe07fff1b5f17b91d546d186de10586c8de5fa31b6d4c771d566acb6fd1aef6f
                                              • Opcode Fuzzy Hash: 1fb6f87a0337331be37f4227361dd6c54be0235893d47dfbc9eb27ea2598a0bb
                                              • Instruction Fuzzy Hash: 891100B19007089FC721EF9AD88489AF7F8FF08710B50856FE58AD7611D771AA49CF90
                                              Function 00334F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: ClassName_wcscmp
                                              • String ID: #32770
                                              • API String ID: 2292705959-463685578
                                              • Opcode ID: b156cc3ce2164f626fb5661141904c56aa47df56f50337046009e48223e4452f
                                              • Instruction ID: f520cd7539a8d085e4356a29d082291ac41699e19612ebca0d51d9428b1a9a7d
                                              • Opcode Fuzzy Hash: b156cc3ce2164f626fb5661141904c56aa47df56f50337046009e48223e4452f
                                              • Instruction Fuzzy Hash: 71E0D83260032C2BD721EB99EC4AFA7F7ACEB86B71F010067FD04D3051D960AA558BE0
                                              Function 0030B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0030B314: _memset.LIBCMT ref: 0030B321
                                                • Part of subcall function 002F0940: InitializeCriticalSectionAndSpinCount.KERNEL32(00394158,00000000,00394144,0030B2F0,?,?,?,002D100A), ref: 002F0945
                                              • IsDebuggerPresent.KERNEL32(?,?,?,002D100A), ref: 0030B2F4
                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002D100A), ref: 0030B303
                                              Strings
                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0030B2FE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                              • API String ID: 3158253471-631824599
                                              • Opcode ID: 8b776444c31ea55163bb788db194444e777edbf7e6bf929acc2a9e5f07626199
                                              • Instruction ID: 5d6b64bc9a9d2ee86619c3cc647d23cd1bc12d324f744da8b86206944b8db9b9
                                              • Opcode Fuzzy Hash: 8b776444c31ea55163bb788db194444e777edbf7e6bf929acc2a9e5f07626199
                                              • Instruction Fuzzy Hash: B2E06D782117008FD7229F28D914746BAE8AF00705F108DADE486C7791E7B4D444CBA1
                                              Function 00311935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(?), ref: 00311775
                                                • Part of subcall function 0034BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0031195E,?), ref: 0034BFFE
                                                • Part of subcall function 0034BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0034C010
                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0031196D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                              • String ID: WIN_XPe
                                              • API String ID: 582185067-3257408948
                                              • Opcode ID: 02bdc4240b2c17818a8fef5ef5f47eed0401e77221c9419ac32613f1c74e3d0b
                                              • Instruction ID: ac0ccb408016ca0b49a1077da1208a1ae45197129a436f8c6966a41fedb1f03c
                                              • Opcode Fuzzy Hash: 02bdc4240b2c17818a8fef5ef5f47eed0401e77221c9419ac32613f1c74e3d0b
                                              • Instruction Fuzzy Hash: 55F0C971811109DFDB1ADBA1C988AECBBFCAB08301F640096E202A62A0D7719F84DF61
                                              Function 00355964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0035596E
                                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00355981
                                                • Part of subcall function 00335244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003352BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: FindMessagePostSleepWindow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 529655941-2988720461
                                              • Opcode ID: f4ddc7fe93263829df490ba4c2207814c9367c84a9c32bca950883c0eb0bdc13
                                              • Instruction ID: 470df20d4926ea7bcb1d1a5141b4c5def2e7a84b00e75ffb55fd94176dd2d3b6
                                              • Opcode Fuzzy Hash: f4ddc7fe93263829df490ba4c2207814c9367c84a9c32bca950883c0eb0bdc13
                                              • Instruction Fuzzy Hash: 3BD0C935384311BBE665BB709C4BFD76A28AB01B52F000865B349AB1E0D9E09800C654
                                              Function 00355998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003559AE
                                              • PostMessageW.USER32(00000000), ref: 003559B5
                                                • Part of subcall function 00335244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003352BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2240081920.00000000002D1000.00000040.00000001.01000000.00000003.sdmp, Offset: 002D0000, based on PE: true
                                              • Associated: 00000000.00000002.2240065147.00000000002D0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000384000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000038E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.000000000039D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240081920.0000000000423000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240238561.0000000000429000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2240255500.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_2d0000_8kjlHXmbAY.jbxd
                                              Similarity
                                              • API ID: FindMessagePostSleepWindow
                                              • String ID: Shell_TrayWnd
                                              • API String ID: 529655941-2988720461
                                              • Opcode ID: 8e35e56ac1a1ac344dde76b0bf9c649835647bd31e5188b02926275496be0b0f
                                              • Instruction ID: 613d4a774c030c7ae843de41218eabab61046ebfc257eb59838c069b40b14736
                                              • Opcode Fuzzy Hash: 8e35e56ac1a1ac344dde76b0bf9c649835647bd31e5188b02926275496be0b0f
                                              • Instruction Fuzzy Hash: 23D0C9313C0311BBE666BB709C4BFD76628AB05B52F000865B345EB1E0D9E0A800C658